BRUCE  SCHNEIER  Q&A:  BROADENING  SECURITY 

PAGE  24 


Joe  has  a  billion-dollar 
secret.  Can  he  keep  it  safe 
from  thieves,  turncoats 
and  spies?  page  28 


July/August  2008  $9.00  www.csoonline.com 


Ira  Winkler 
Sounds  Off 

PAGE  38 


Continuity 

Consultants 

Considered 

PAGE  20 


I  LA  I 

training  events,  tacn  features  distinct  programs 
that  appeal  to  a  wide  variety  of  IT  audit,  assurance, 
control,  security  and  governance  professionals. 

Esteemed  instructors  combine  lecture,  case  study, 
class  discussion  and  group  exercises  for  a  full 
week  of  study  and  up  to  38  CPE  Credits. 

Programs  offered: 

I  Fundamentals  of  IT  Auditing 
I  Information  Security  Management 
I  IT  Audit  Practices 


22-26  September  2008 
Washington  DC,  USA 

17  October  2Q08 
Anaheim,  California, 
USA 

3-7  November  2008 
Chicago,  Illinois,  USA 

8-1 2  December  2008 
New  Orleans, 
Louisiana,  USA 


Register  online  now! 

www.isaca.org/trainingweek 


July/August  2008  V0I.7,  No.  6 


spec! 

REPORT.. 


28  Joe’s  Office 

Joe’s  research  company  relies  on  layers  of 
defense  to  keep  priceless  intellectual  prop¬ 
erty  out  of  the  wrong  hands.  By  Stacy  Collett, 
Michael  Fitzgerald  and  Derek  Slater 


Gatehouse  P.29 

Fence  and 
Flora  P.30 

Parking  and 
Bollards  P.30 

Briefcase  P.31 

Lobby:  Surveillance 
System,  Prox  Card, 
Visitor  Manage¬ 
ment  System  P.32 


6  Multifunction 
Printer  P.32 

7  Windows  P.  34 

8  Shredder  P.34 

9  Biometrics  P.35 

10  Joe’s  Office: 

Filing  Cabinet, 
Whiteboard, 
Laptop  P.36 


2  From  the  Editor 
4  From  the  Publisher 
6  Join  the  Discussion 

11  Briefing 

SQL  injection,  Security 
tips  for  Olympics  visi¬ 
tors,  and  more 

20  Toolbox 

Howto  Evaluate 
Business  Continuity 
Consultants 
By  Stacy  Collett 


24  The  Endless 
Broadening  of 
Security 

Q&A  with  Bruce 
Schneier 

38  Industry  View 

The  Time  and  Place  for 
Awareness  Training 
By  Ira  Winkler 

40  Debriefing 

A  Blast  from  the  Past 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  acombined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copyright  2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  useor  the  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOfor  users  through  theCopyright  Clearance  Center,  provided  thatafeeof  $3.50  percopy  ofthearticle  is  paid  directly  to  CopyrightClearance  Center,  222  Rosewood  Drive,  Danvers,  MA01970.www.copyright.com.  Please  specify: 
ISSN  154 0-904x.  Permissiontophotocopydoesnotextendtocontributedartides-followed  by  this  symbol:  $.  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL60065: 866  354-1125.  CSO  is  freeto  qualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  Thesingle  copy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allow  four  tosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  David  Puckett 


July/August  2008  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Recession 

Questions 

Recessions  stink.  However,  since  we’re  in 
one,  let’s  make  the  best  of  it. 

What  might  it  mean  for  a  CSO 
to  make  the  best  of  a  recession?  I’d 
suggest  it  means  honing  your  focus  on  your 
company’s  operational  efficiency. 

First,  that  obviously  means  you  should 
have  a  cost-efficient  security  operation. 

Are  you  cross-training  your  staff?  Have  you 
renegotiated  any  contracts  lately?  Are  new 
suppliers  willing  to  negotiate  a  great  rate  in 
order  to  get  their  foot  in  your  door? 

Are  you  evaluating  open-source  and / 
or  free  software?  There  are  tons  of  low-cost 
options  available;  you  just  have  to  make  sure 
your  functional  needs  continue  to  be  met. 

Can  you  automate  any  of  the  tasks  your 
department  now  does  manually?  Video  con¬ 
tent  analysis  software  is  a  great  example  of  an 
area  where  technology  is  maturing  to  provide 
new  capabilities.  It’s  possible  that  security  per¬ 
sonnel  now  tied  to  monitoring  video  screens 
or  network  event  logs  could  be  repositioned  to 
more  high-value  work. 

Are  your  network  and  security  operations 
centers  ripe  for  consolidation  (as  suggested  in 
our  April  Industry  View  column)? 

Second,  you  should  also  be  able  to  demon¬ 
strate  that  cost-effectiveness. 

How  mature  is  your  use  of  metrics?  Are 
you  still  relying  on  threadbare  measurements 
like  “We  blocked  16  quadrillion  infected  e-mail 
attachments  last  month”?  Catch  up  to  the  work 
of  thought  leaders  like  George  Campbell  and 
Andrew  Jaquith  on  CSOonline,  Securitymetrics 
.org  or  elsewhere  on  the  Web. 

Have  you  benchmarked  your  loss-preven¬ 
tion  and  investigation  initiatives  against  those 
of  your  peers?  Do  you  achieve  comparable 
restitution  rates? 


Third,  you  should  have  an  eye  on  any  busi¬ 
ness  opportunity  where  security  can  contrib¬ 
ute  to  the  company’s  overall  efficiency. 

Great  access  control  projects  can  make 
businesses  go  faster,  not  slower. 

Role-based  identity  management  can 
help  get  new  employees  and  new  applications 
productive  faster.  And,  oh,  by  the  way,  those 
same  IDM  systems  can  help  quickly  de-provi¬ 
sion  departing  employees  and  contractors  as 
well.  Unfortunately,  layoffs  are  the  corporate 
world’s  knee-jerk  reaction  to  a  recession-so 
you  may  have  to  do  more  de-provisioning  than 
normal  over  the  next  while.  Handling  those  de¬ 
provisioning  tasks  efficiently  may  contribute 
to  overall  loss-prevention  efforts. 


Do  you  know  how  quickly  new  employees 
(or  departing  ones)  receive  (or  lose)  access 
cards,  network  privileges  and  so  forth? 

Do  you  work  closely  with  business  part¬ 
ners,  such  that  a  federated  identity  approach 
might  take  significant  friction  out  of  the  value 
chain? 

I’m  not  a  big  believer  in  hunkering  down 
and  hoping  the  economic  bombs  land  on 
somebody  else’s  bunker.  Recessions  do  stink, 
but  leaders  lead  the  way  through  them.  How 
are  you  planning  to  do  that  for  your  depart¬ 
ment  and  your  company? 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editor  Bill  Brenner 
Asst.  Managing  Editor  Diann  Daniel 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Jeff  Bardin,  Scott  Berinato, 

Stacy  Collett,  Rick  Cook, 

Michael  Fitzgerald, 

Robert  McMillan,  Ira  Winkler 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Flayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXO  'MEDIA  INC 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


BPA 

WORLDWIDE" 


2  www.csoonline.com  July/August  2008 


Photo  by  Webb  Chappell 


©  Diebold,  Incorporated,  2008.  All  rights  reserved. 


HOW  SHOULD  YOUR 
SECURITY  EVOLVE? 


Do  you  consult  with  industry  experts? 

Are  you  prepared  for  tomorrow's  challenges? 


STAY  IN  CONTROL 
OF  YOUR  DATA  AND 
LOCATION  WITH  HELP 
FROM  DIEBOLD. 


Every  day,  you  meet  new  challenges 
in  keeping  your  workplace  safe 
and  secure.  That's  why  you  need 
the  thoughtful  leadership  and 
constant  innovation  from  a  trusted 
security  partner  like  Diebold. 


Whether  you  protect  physical  or 
data  assets  of  financial,  commercial, 
government  or  retail  operations, 
we  can  offer  you  the  tools  that 
you  need  to  effectively  combat 
ever-changing  security  challenges. 


We'll  examine  your  operation  to 
carefully  analyze  strengths  and 
weaknesses  before  recommending 
a  best-of-breed  solution.  And 
with  more  than  4,500  Diebold 
technicians  nationwide,  you'll  have 
help  when  and  where  you  need  it. 


Learn  more  about  financial,  commercial,  government 
and  retail  security  solutions. 

CONTACT  YOUR  DIEBOLD  REPRESENTATIVE  OR 
VISIT  WWW.DIEBOLD.COM/SECURE 


RESOLD 

SECURITY 


[  FROM  THE  PUBLISHER  ] 


Olympic 

Security 

Occasionally  it’s  tough  to  write  a 

column-not  for  a  lack  of  topics,  but 
because  the  topics  all  seem  so  old: 
browser  vulnerabilities,  more  govern¬ 
ment  regulations,  the  latest  and  greatest 
breaches,  the  Celtics’  victory  over  the  Lakers 
(apologies  to  Lakers  fans,  but  I’m  from  Boston), 
and  so  on. 

Then  last  month  I  had  dinner  with  a 
group  of  security  and  technology  folks  in  San 
Francisco,  and  Jason  Hoffman  from  Kaiser 
Permanente  handed  me  a  topic  on  a  silver 
platter.  Jason  asked  what  businesses  are  doing 
if  their  employees  are  attending  the  Summer 
Olympics  in  Beijing.  Are  organizations  secur¬ 
ing  the  corporate  secrets  that  may  be  on  the 
laptops  employees  carry  into  China? 

Over  the  years  I  have  heard  many  stories 
from  CSOs  about  their  encounters  with  state- 
sponsored  IP  theft  and  industrial  espionage. 
Those  stories,  while  including  many  countries, 
have  usually  focused  on  two  nations  in  particu¬ 
lar:  France  and  China.  It  just  so  happens  this 
year  that  the  Summer  Olympics  are  being  held 
in  Beijing,  a  nation  noted  for  its  accelerating 
economy,  utter  lack  of  intellectual  property 
protections  and  talented  intelligence  services. 
This  is  a  risky  mix  to  encounter  when  you  are 
trying  to  protect  corporate  secrets. 

Nations  around  the  globe  have  long 
focused  on  stealing  corporate  IP  in  order  to 
give  their  native  businesses  an  advantage.  The 
former  Soviet  Union  was  very  good  at  this  dur¬ 
ing  the  Cold  War,  and  even  friendly  states  have 
been  caught  on  occasion  targeting  their  allies. 

I  don’t  want  it  to  seem  that  I  am  China¬ 
bashing  here,  because  that  is  not  my  point. 

The  point  is:  What  steps  are  you  taking  to 
protect  your  employees  and  the  intellectual 
property  that  they  may  be  carrying  with  them 
when  they  travel  abroad?  Remember  that  the 
Chinese  government  filters  Internet  access, 


preventing  those  within  the  borders  of  China 
from  getting  to  certain  domains  that  may  be 
deemed  contrary  to  the  benefit  of  the  state 
(think  back  on  the  whole  Google  issue  a  few 
years  ago).  It’s  not  too  much  of  a  leap  from 
there  to  imagining  someone  snooping  around 
on  your  computer  when  you  are  online  in  your 
hotel  room  or  at  an  Internet  cafe. 

My  advice  to  you  is  that  you  think  about 
these  issues,  and  not  just  in  terms  of  China. 
Protecting  mobile  data  is  one  of  the  toughest 
challenges  facing  CSOs  today.  I  know  that  most 
of  you  are  struggling  with  it.  However,  a  stolen 
or  lost  laptop  usually  just  ends  up  being  fenced 
with  little  regard  for  what’s  stored  on  the 
computer.  When  other  nations  are  involved, 
they  understand  that  there  is  a  different  type 
of  gold  in  that  same  laptop  that  can  reap  them 
millions  of  dollars  in  benefits. 


If  you  are  attending  this  summer’s  Olym¬ 
pics,  have  a  great  time  and  make  sure  you 
bring  a  hard  copy  of  CSO  magazine  to  read. 
After  this  column,  you  may  have  a  difficult  time 
accessing  CSOonline.com  from  mainland  China. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  index 

ASIS  International  . 21 

CXO  Media  Inc . 13 

Diebold  Inc . 3 

Executive  Women's  Forum _ 39 

Garda . 15 


HIDCorp . 17 

ISACA  C2 . 10 

Lumension  Security . C4 

Reconnex  .  5 

RSA  Security . 7 


SecureWorks . . 9 

SunGard  Availability 

Services  Inc . 12a 

TriGeo  Network  Security  Inc.  . .  19 
Verisign  Inc . C3 


4  www.csoonline.com  July/August  2008  Photo  by  Christopher  Navin 


Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 
Per  Melker 

Eastern  Regional  Sales  Manager 
Sarah  Moon 
Sales  Associate 
Lauren  Costello 
Event  Planners 
Kevin  Corrigan,  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O'Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponelSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
csotStheygsgroup.com 


Not  Sure?  Let  Reconnex  Help. 

Reconnex  is  positioned  in  the  Leader’s  Quadrant  of  Gartner,  Inc’s 
Content  Monitoring  and  Filtering  and  Data  Loss  Prevention 
Magic  Quadrant1  and  named  a  leader  in  the  Forrester  Wave™: 
Data  Leak  Prevention  Q2  2008  Report.  Customers  appreciate 
our  unique  ability  to  help  them  understand  their  sensitive  data. 
Over  one  million  users  trust  us  to  protect  their  information  today. 


SSS  Reconnex 


DATA  LOSS  PREVENTION  APPLIANCES 


WHY  RECONNEX? 

SIMPLE.  Automatic  Rule  Creation 
FAST.  Turnkey  Appliance  Solution 
COMPLETE.  Full  Functionality.  No  Compromises. 


TAKE  THE  FIRST  STEP. 

Get  a  complimentary*  Risk  Assessment  from  Reconnex. 
Find  out  more  at  www.reconnex.net/LEADER 

•QUALIFICATIONS  APPLY. 


'From  Gartner,  Inc,  'Content  Monitoring  and  Filtering  and  Data  loss  Prevention  Magic  Quadrant"  report  by  Eric  Ouellet  and  Paul  Proctor,  published  on  June  1/,  2008.  The  Gartner  Magic  Quadrant  Is  copyrighted  by  Gartner,  Inc.,  and  Is  reused  with  permission.  Ihe  Magic  Quadranl  Is  a  graphical  representation  of  a  marketplace  at  and 
lor  a  specific  bme  period.  It  depicts  Gartner's  analysis  ot  how  certain  vendors  measure  against  criteria  for  that  marketplace,  as  defined  by  Gartner  Gartner  does  nol  endorse  any  vendor,  product  er  service  depicted  In  the  Magic  Quadrant,  and  does  not  advise  technology  users  to  select  only  those  vendors  placed  In  die  "leaders 
Quadrant  The  Magic  Quadrant  is  intended  solely  as  a  research  tool,  and  Is  not  meant  to  be  a  specific  guide  to  action,  Gartner  disclaims  all  warrandes,  express  or  Implied,  with  respect  to  this  research,  Including  any  warranties  of  merchantability  or  fitness  for  a  particular  purpose. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com. 


BLOG  POST 

Does  Security 
Need  Whistle- 
Blowers? 

I  am  increasingly  running  smack 
into  situations  that  are  making  me 
rethink  my  long-held  beliefs  that 
security  is  black-and-white.  More 
and  more  it  appears  to  be  a  spec¬ 
trum  between  fixed  points,  and  sometimes 
businesses  need  a  little  nudge  to  do  the 
right  thing. 

My  politics  are  a  bit  to  the  right  and 
leaning  toward  libertarian.  I  have  always 
felt  that  government/ industry  intervention 
or  regulation  is  something  to  be  avoided.  I 
have  always  believed  that  businesses  will 
do  the  right  thing  given  the  opportunity; 
that  the  prevailing  view  of  businesses  being 
big  and  mean  and  only  looking  out  for  their 
bottom  lines  is,  generally  speaking,  fiction. 
But  over  and  over  again  I  see  businesses 
failing  to  do  the  right  thing  when  it  comes 
to  data  security,  usually  by  just  not  doing 


anything  in  the  first  place.  The  result  is  that 
data,  usually  personally  identifiable  cus¬ 
tomer  data,  is  allowed  to  walk  out  the  door 
almost  at  will. 

While  there  are  numerous  examples  I 
can  cite,  I’m  going  to  use  my  old  fallback, 
TJX,  which,  incidentally,  has  seen  its  stock 
value  and  sales  increase  since  the  huge 
data  breach  that  was  announced  in  Janu¬ 
ary  2007.  Even  after  the  largest  breach  in 
history,  they  apparently  still  are  failing  to 
address  significant  security  vulnerabilities. 
This,  according  to  one  of  their  own  employ¬ 
ees,  Nick  Benson  (see  Robert  McMillan’s 
article  on  CSOonline.com).  Needless  to 
say,  Benson  was  fired  for  revealing  this 
information.  From  what  I  understand,  he 
didn’t  go  into  this  trying  to  be  a  whistle¬ 
blower,  and  as  a  student  at  the  University 
of  Kansas  he  may  not  have  even  been  famil¬ 
iar  with  the  corporate  policies  in  place  at 
most  organizations— policies  that  restrict 
employees  from  speaking  with  the  media 
or  speaking  in  public  about  exactly  these 
types  of  topics.  But  if  TJX  isn’t  appropri¬ 
ately  addressing  its  security  problems  after 
last  year’s  fiasco,  and  they  have  not  been  hit 
with  market  backlash  on  their  stock  price 
or  sales,  maybe  it’s  time  for  regulators  to 
jump  in  and  give  them  a  kick  in  the  [butt]. 

The  problem  really  boils  down  to  this: 
If  people  on  the  inside  know  there  is  a 
problem  that  can  cause  “substantial  harm 
or  inconvenience”  to  customers  if  their  pri¬ 
vacy  was  to  be  breached,  and  the  company 
refuses  to  do  anything  about  it,  isn’t  it  in  the 
best  interests  of  society  to  have  someone 
jump  in  and  force  the  issue?  Maybe.  Maybe 
not.  I’m  still  not  sure... and  then  I  remem¬ 
ber  that  some  of  my  financial  data  is  prob¬ 
ably  flying  around  on  the  servers  at  TJX.  Is 
yours?  -Bob  Bragdon 


RESPONSE 

I  MOST  WHOLEHEARTEDLY  disagree 
with  your  view,  which  I  believe  to  be  based 
on  the  fact  that  you  are  not  on  the  inside 
actually  mixing  it  up  and  doing  the  job. 
Companies  repeatedly  do  what  is  best  for 
the  bottom  line  on  a  daily,  if  not  hourly, 
basis.  Security  is  not  a  concern  unless  they 
are  forced  to  deal  with  it,  and  then  only  as  a 
benign  tumor  that  is  removed  and  forgotten. 
You  are  on  the  outside  looking  in  and  only 
get  the  corporate  line  since  many  are  fearful 
of  voicing  the  truths  due  to  corporate  back¬ 
lash.  Who  is  going  to  hire  you  if  you  come 
out  and  speak  the  truth  in  public?  Instead, 
we  have  to  lurk  around  dark  chat  rooms, 
subscribe  to  virtual  couch  trips  and  write 
anonymously  like  this  response. 

Integrity  is  black-and-white  but  secu¬ 
rity  has  many  shades  of  gray.  I  see  this  every 
day  as  my  company  chooses  not  to  secure 


MORE  ON  THE  WEB 

The  Security 

Recruiter 

Directory 

Sometimes  to  find  the  right 
job  candidate  (or  the  right  job 
for  yourself)  you  need  to  find 
the  right  recruiter  first.  Our 
ever-expanding  list  of  security 
recruiters  can  help. 
www.csoonline.com/ 
article/358217/ 


6  www.csoonline.com  July/August  2008 


Photo  by  iStockphoto.com 


“I  am  fearless. 

I  drive  security  strategy  for  a 
global  500  company. 


I  provide  secure  access  to  business 
resources  anytime,  anywhere. 

I  believe  security  should  connect 
people,  not  isolate  them. 

I  am  fearless.” 


Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  EMC 


Secure  Anytime 
Anywhere  Access 

-±- 


Protect 

Customer  Identities 


Secure 

Enterprise  Data 


Manage  Compliance 
and  Security  Information 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


>>  DISCUSSION 


its  end  points,  chooses  not  to  write  secure 
code  to  get  it  out  the  door  faster,  chooses 
not  to  execute  a  proper  disaster  recovery 
and  business  continuity  effort.  I  see  choices 
made  that  are  not  really  choices  but  are 
institutionalized  in  the  culture  daily,  which 
reduce  the  security  posture  of  the  company. 
I  see  the  business  avoiding  integration  with 
security  since  they  can  choose  to  do  so.  If 
you  are  on  the  inside,  you  would  change 
your  tune. 

-Anonymous 

REPLY 

I  LIKE  YOUR  idea  about  getting  security 
written  into  the  CEO’s  compensation  as  an 
MBO.  But  isn’t  that  essentially  what  Sox 
did?  I  really  think  we  are  saying  the  same 
thing  but  from  different  angles.  I’m  cer¬ 
tainly  not  advocating  that  everyone  run  out 
and  become  a  whistle-blower,  but  at  some 
point  there  has  to  be  a  level  of  accountabil¬ 
ity  injected  into  the  management  structure, 
and  maybe  it  will  take  regulation  to  do  that. 
It’s  still  the  number-one  driver  for  security 
investment. 

Bob  Bragdon 

BLOG  POST 

Security  by 
Walking  Around 
(SBWA) 


Avery  old  idea  in  business 
is  the  concept  of  “manage¬ 
ment  by  walking  around” 
(MBWA).  If  I  recall  cor¬ 
rectly,  the  founders  of 
Hewlett-Packard,  Dave  Packard  and  Bill 
Hewlett,  created  this  concept  to  define 
an  active  strategic  management  style  that 
required  active  information  gathering 
and  active  problem  solving— primarily  by 
encouraging  direct  contact  between  senior 
management  and  key  employees,  custom¬ 
ers  and  suppliers. 

A  recent  incident  brought  this  concept 
to  mind  in  relation  to  information  security. 
We  had  negotiated  an  agreement  in  which 
a  business  would  outsource  certain  key 
back-office  operations  to  an  offshore  ven¬ 
dor.  The  vendor  would  have  possession  of 
the  business’s  most  sensitive  trade  secret 
and  customer  information.  As  you  would 
expect,  the  contract  included  significant 
detail  concerning  the  information  secu¬ 
rity  measures  the  vendor  was  expected  to 
maintain.  One  such  measure  was  the  instal¬ 
lation  of  perimeter  security  cameras  at  the 
vendor’s  facility.  The  vendor  confirmed  all 
such  measures  were  in  place,  including  the 
positioning  of  the  security  cameras. 

As  part  of  post-contract  monitoring,  a 
team  from  the  business  was  dispatched 
to  confirm  that  the  vendor  had  properly 
implemented  the  required  security  mea¬ 
sures.  Sure  enough,  when  they  arrived  at 
the  facility,  they  found  the  cameras  strate¬ 
gically  positioned  to  provide  full  coverage 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.csoonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater(Scxo.com 
508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com 


of  the  exterior  of  the  facility.  The  problem, 
however,  was  that  they  discovered  the 
cameras  were  not  actually  connected  to 
any  monitoring  equipment.  The  wiring  ter¬ 
minated  at  the  base  of  the  posts  on  which 
the  cameras  were  located.  The  vendor  had 
installed  the  required  cameras.  They  just 
hadn’t  connected  them  to  anything. 

While  this  is  a  somewhat  extreme, 
almost  comical  circumstance,  it  highlights 
the  importance  of  doing  a  little  “security 
by  walking  around”  (SBWA).  Having  a 
well-written,  fully  fleshed-out  contract  is 
certainly  important,  but  following  up  with 
some  SBWA  can  ensure  that  the  vendor 
actually  understands  its  obligations  and 
has  properly  implemented  them.  SBWA 
can  also  assist  businesses  in  establishing 
that  they  have  acted  reasonably  in  ensur¬ 
ing  the  data  they  have  entrusted  to  others 
is  being  properly  protected. 

-Michael  Overly 


8  www.csoonline.com  July/August  2008 


Photo  by  iStockphoto.com 


The  threat  landscape 
is  constantly  evolving. 


Fortunately,  we  are  too. 

Protection  from  yesterday’s  threats  is  no 
protection  —  which  is  why  real  security  takes 
more  than  a  box. 


SecureWorks’  state-of-the-art  threat-correlation 
platform  is  continuously  informed  by  the  industry’s 
leading  counter-threat  unit.  This  ever-evolving 
solution  gives  our  client-dedicated  analysts 
constant  visibility  into  the  verge  of  the  threat 
landscape.  And  gives  you  real  protection  from 
whatever  tomorrow  brings. 

Secure  %fks’ 

www.secureworks.com 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the  SecureWorks 
logo  are  registered  trademarks  of  SecureWorks. 


Certified  Information  Systems  Auditor™ 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


Exam  Registration:  24  September  2008 
Exam  Date:  1 3  December  2008 


www.  isaca.  org/csomag 


u 


When  people  are  new... they  tend  to  make  mistakes. 

PAGE  18 


99 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner  &  Michael  Fitzgerald 


Mars  Attacked,  by 
SQL  Injection 

An  old  security  flaw  gains  a  nasty  new  approach 

On  May  25, 2008,  the  Phoenix  Lander 
touched  down  near  the  Martian  north 
pole. 

On  May  28,  the  lander  deployed  its 

robot  arm. 

On  June  1,  the  Phoenix  Lander  public  web¬ 
site  was  defaced  by  a  SQL  injection  attack. 

The  site  is  among  hundreds  of  thousands 
infected  in  recent  months  by  criminals  using 
automated  SQL  injection  tools.  They  prefer 
to  go  after  known,  trusted  sites.  The  infected 
sites  redirect  browsers  to  what  look  like  legiti¬ 
mate  webpages.  Instead,  browsers’  computers 
are  surreptitiously  infected  with  malware. 

Such  highly  automated  assaults  put  a 
nasty  new  twist  on  the  old  trick  of  SQL  attacks. 

‘Primarily,  the  tool  automates  a  lot  of  different 
aspects  of  attack-like  finding  vulnerable  sites,’ 
says  Ben  Greenbaum,  a  senior  research  man¬ 
ager  for  Symantec  Security  Response. 

For  instance,  the  attackers  start  out  by 
searching  out  pages  built  using  Micro¬ 
soft’s  ASP  (Active  Server  Pages) 
because  these  almost  always 
use  Microsoft  SQL  Server  data¬ 
bases.  So  the  attackers  know 
what  the  underlying  database 
will  be,  and  can  then  easily  probe 
for  poorly  protected  SQL.  Once  you 
know  the  database,  it’s  easy  to  find  the  sys- 
objects  table-which  stores  information  on  all 
the  objects  in  the  database-using  its  default 
name  in  SQL  Server.  If  there  are  holes,  it’s  also 
simple  to  insert  a  malicious  bit  of  JavaScript 
into  the  database’s  strings,  code  served  up 
when  the  application  requests  it  (for  instance, 


■  Auditing  Web  applications  for  security 
holes,  including  vulnerabilities  to  SQL 
injection 

■  Using  stored  procedures  and  SQL  param¬ 
eterized  queries  that  filter  input  before  it  is 
sent  to  the  database 

(A  Microsoft  blog  has  more  information: 
http://blogs.msdn.com/sdl/archive/2008/ 
05/15/giving-sql-injection-the-respect-it- 
deserves.aspx) 

Users,  meanwhile,  can  help  protect  them¬ 
selves  by  using  the  Firefox  browser  with  the 
NoScript  plug-in.  The  NoScript  plug-in  blocks 
JavaScript  unless  the  user  specifically  allows  it 
for  a  particular  page. 

Still,  the  fundamental  fix  lies  with  the 
companies  that  write  Web  applications,  says 
Greenbaum.  “It’s  up  to  individual  companies  to 
make  sure  their  own  websites  don’t  have  these 
issues,”  he  says.  And  it  would  help  to  learn  SQL 
security.  -Rick  Cook 


a  string  might  display  a 
message). 

When  the  unsuspecting 
user’s  browser  calls  a  string, 
the  JavaScript  also  sends  it  to 
the  page  serving  the  malware. 

Note  that  these  attacks 
have  nothing  to  do  with  a  flaw 
in  the  Microsoft  products. 

‘The  attacks  don’t  rely  on  a 
vulnerability  in  the  database 
or  Web  server,”  Greenbaum 
says.  “A  lot  of  these  issues 
are  made  possible  by  coding 
practices  in  the  application  or 
presentation.” 

Therein  lies  the  problem  and  the  frustra¬ 
tion.  Although  the  techniques  for  protecting 
against  SQL  injection  attacks  are  well-known 
in  the  security  community,  a  lot  of  Web  appli- 
cation  developers  don’t  know  them. 

Protection  “is  pretty  straightforward 
■  for  a  developer  who  has  a 
general  understanding  of 
security,”  says  Greenbaum. 


“Unfortunately,  a  lot  of  developers 
don’t  meet  that  criterion.”  The 
result,  according  to  one  estimate 
from  security  researcher  Michael 
Sutton,  is  that  about  14  percent  of  all  websites 
with  databases  are  vulnerable  to  SQL  injection 
attacks. 

Protection  techniques  include: 

■  Checking  and  validating  input  to  catch 
attempts  to  insert  SQL  commands  into 
input  fields 


Images  courtesy  Nasa,  Warner  Bros. 


July/August  2008  www.csoonline.com  11 


>>  BRIEFING 


Q&A: CYBERATTACKS 

WHAT  CSOs 
CAN  LEARN 
FROM 
ESTONIA 

Security  researcher  Gadi 
Evron  reviews  lessons  of 
the  Estonian  cyberattacks  he 
helped  investigate  last  year 

It’s  been  more  than  a  year  since  the  Baltic 
nation  of  Estonia  wilted  under  the  assault 
of  coordinated  cyberattacks.  The  country 
seems  to  have  bounced  back.  Its  online 
infrastructure  was  back  up  and  running 
within  a  couple  of  weeks,  and  NATO  recently 
announced  it  will  set  up  a  cyber  defense 
center  there  to  research  and  help  fight 
cyberwarfare.  Israeli  security  researcher 
Gadi  Evron  was  among  those  sent  in  to  help 
the  country  investigate  the  attacks  and  get 
back  on  its  feet.  The  former  CISO  and  Israeli 
government  CERT  manager-a  popular 
speaker  at  such  security  conferences  as 
Black  Hat-reflects  on  what  happened  in 
Estonia,  and  what  other  nations  and  private 
entities  could  learn  from  it  all. 

CSO:  When  you  reflect  on  what  happened 
in  Estonia,  what  do  you  see  as  the  big  les¬ 
son  for  other  nations? 

Gadi  Evron:  Say,  by  some  miracle,  you  have 
not  yet  experienced  an  attack  via  the  Inter¬ 
net  even  though  you  have  an  Internet-based 
critical  infrastructure.  You  can  no  longer  say 
that  it  won’t  happen  simply  because  it  hasn’t 
happened  yet.  The  biggest  lesson  is  that  in 
today’s  ball  game,  the  player  can  be  the  kid 
next  door  as  much  as  it  can  be  the  big,  bad 
neighboring  country.  Work  on  your  incident 
response  capability  with  the  private  sector, 
because  when  you  get  hit  you  won’t  have 
time  to  address  it  at  that  point. 

Since  those  attacks,  have  there  been  any 
similar  incidents,  to  your  knowledge? 

Several  countries  have  publicly  admitted  to 
being  attacked  online.  Most  of  these  attacks 
are  of  the  quiet,  spying  type.  As  to  large, 
incapacitating  DDoS  [distributed  denial-of- 
service]  attacks,  they  happen  daily  on  the 


Internet  and  impact  the  whole  Net,  unlike 
these  spying  incidents.  I  am  not  aware  of 
a  major  country-debilitating  DDoS  attack 
since  Estonia,  though. 

You’ve  described  the  Estonian  incident 
as  a  “cyber  riot”  rather  than  a  case  of 
nation-sponsored  cyberterrorism.  Do  you 
think  all  the  speculation  about  nation- 
sponsored  attacks  was  overblown? 

It  was  a  riot  because  the  online  populace 
was  energized  to  be  the  foot  soldiers.  It  was 
also  an  organized  attack,  but  whether  by 
some  ad  hoc  group  of  individuals  or  not,  I 
cannot  say,  based  on  the  technical  data 
alone.  Whether  it  was  Russia  or  not,  [the 
country]  knew  how  to  play  the  political  game 


afterwards  and  achieved  a  high 
level  of  deterrence  against  the 
former  Eastern-block  countries 
at  virtually  no  cost. 

You  mentioned  in  your  Black 
Hat  presentation  last  year 
that  you  had  headed  to  Estonia 
with  images  of  the  fictional 
nation  of  Elbonia  from  the  D//- 
bert  comic  strips,  where  mud 
is  the  main  export  and  babies 
are  born  with  beards.  But  you 
said  you  were  pleasantly  sur¬ 
prised  by  what  you  found. 

That  stuff  [from  the  presenta¬ 
tion]  was  a  joke.  I  was  mainly 
concerned  about  visiting 
because  of  the  cyberfraud  activity  happen¬ 
ing  there  and  the  damage  the  criminals  can 
suffer  at  the  hands  of  people  like  me. 

If  you  could  offer  three  pieces  of  advice  to 
government  or  private  entities  hoping  to 
avoid  such  attacks,  what  would  they  be? 

Don’t  panic.  Accept  that  the  threat  is  there. 
Don’t  jump  to  solutions,  such  as  just  better 
funding  or  adopting  a  Cold  War  strategy. 

On  a  practical  note,  though,  establishing  a 
countrywide  incident  response  capability 
is  important.  Open  channels  to  the  private 
sector.  Treat  the  Internet  as  insecure  in  your 
design  when  you  build  new  infrastructure 
around  it. 

-Bill  Brenner 


WHEN 

GOVERNMENTS 
ARE  ATTACKED 

IN  MAY  2007,  THE 
Baltic  nation  of  Estonia 
suffered  a  series  of  dis¬ 
tributed  denial-of-service 
attacks  that  left  websites 
for  Estonia’s  prime  min¬ 
ister,  banks  and  schools 
in  disarray.  The  incident 
put  a  bigger  spotlight  on 
the  threat  of  coordinated 
attacks  against  govern¬ 
ments  and  political  groups. 
Here  are  a  few  examples  of 
such  sinister  activity: 


TITAN  RAIN.  In  August 
2005  researchers  uncov¬ 
ered  a  series  of  Chinese 
websites  that  were  dog¬ 
gedly  targeting  computer 
networks  in  the  U.S. 
Department  of  Defense 
and  other  agencies,  com¬ 
promising  hundreds  of 
unclassified  networks. 

TARGETING  TIBET.  In 
March  2008  the  SANS 
Institute’s  Internet  Storm 
Center  uncovered  evi¬ 
dence  that  pro-Tibet  orga¬ 
nizations  were  suffering 
cyberattacks.  The  attacks 
appeared  to  be  related 
to  attacks  against  other 
anti-Chinese  groups  like 


Falun  Gong,  and  specula¬ 
tion  abounded  of  Chinese 
government  involvement. 

JAPAN  UNDER  ATTACK. 
In  February  2005,  the 
Japanese  government 
suffered  a  series  of 
cyberattacks  on  two  of  its 
websites  within  a  week.  A 
government  representa¬ 
tive  told  the  Associated 
Press  that  key  Web  serv¬ 
ers  had  stopped  working 
after  hackers  flooded 
them  with  data,  making  it 
impossible  for  people  to 
access  the  prime  minis¬ 
ter’s  office  and  the  cabinet 
offices’  websites. 

-B.B. 


12  www.csoonline.com  July/August  2008 


Photo  by  Corbis 


Advertising  Supplement 


A  Dollars  and 
Sense  Approach  to 


Business 

Continuity 


Today,  few  business  and  IT  initiatives  match  the  challenge  of  protecting  enterprise  data 
and  ensuring  business  continuity.  Risks  are  everywhere,  taking  the  form  of  both  natural 
and  human-caused  disruptions,  while  strategies  and  solutions  are  often  intricate  and 
expensive.  Many  organizations  find  themselves  struggling  to  meet  aggressive  metrics 
and  targets.  And  as  economic  factors — including  tight  budgets  and  an  economic 
downturn — make  their  presence  felt,  the  situation  is  likely  to  become  more  difficult  for 
already  strapped  IT  executives. 


t’s  no  small  challenge.  Business  continuity  isn’t  a  set 
and  forget  proposition.  It’s  a  dynamic  and  constantly  evolving 
environment  that  requires  close  technical  scrutiny,  but  also  a 
healthy  dose  of  business  acumen  and  an  understanding  of  how 
to  design  an  infrastructure  that’s  both  effective  and  flexible. 

For  many  organizations  that  find  budgets  and  spending  levels 
moving  sideways  or  creeping  downward,  there’s  enormous 
pressure  to  maintain  an  environment  that  delivers  a  solid 
return  on  investment  (ROI)  as  well  as  the  lowest  possible  total 
cost  of  ownership  (TCO). 

As  recovery  time  objectives  (RTO)  shrink  and  recovery  point 
objectives  (RTO)  diminish,  it’s  essential  for  business  and  IT  deci¬ 
sion  makers  to  extract  the  most  from  their  resources  and  build  a 
better  disaster  recovery  and  business  continuity  model.  For  some, 
this  may  result  in  a  more  comprehensive  approach  to  managing 
solutions.  For  others,  turning  to  a  managed  services  provider  may 
make  sense. ..and  maximize  dollars. 

The  common  denominator  is  that  things  aren’t  going  to  get  any 
easier  anytime  soon.  Business  continuity  is  in  the  spotlight  and  un¬ 
der  the  microscope.  As  a  senior  operations  manager  at  a  diversified 
manufacturing  firm  explains:  “The  biggest  constraint  is  demon¬ 
strating  a  business  value  for  an  investment  in  systems  to  protect 
against  an  event  that  may  or  may  not  ever  happen.’’ 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected 1™ 


Custom  Solutions  Croup 


cso 

( 'wtlum  Solutions  Croup 


Navigating  an  Economic  Downturn 

Few  executives  would  argue  that  business  continuity  is  anything 
less  than  a  mission  critical  activity.  More  than  70  percent  of  respon¬ 
dents  to  a  2008  IDG  Research  Services  survey  of  100  companies  re¬ 
ported  they  experienced  a  serious  network  outage— due  to  natural 
or  human  causes— over  the  lastyear. 

One  of  the  biggest  issues  for  most  companies  is  juggling  the 
budgets  and  expenses  of  numerous  lines  of  business:  research  and 
development,  manufacturing,  marketing,  operations,  real  estate, 
equipment,  and  many  others.  Too  often,  disaster  recovery  and 
business  continuity  wind  up  near  the  bottom  of  the  ecosystem— 
simply  because  they  are  less  tangible  and  less  definable  than  most 
other  elements  of  the  business. 

Not  surprisingly,  anything  less  than  a  fully  committed  approach 
to  business  continuity  can  lead  to  problems  and  breakdowns.  For 
most  organizations,  tighter  RTO  objectives  produce  far  greater 
performance  pressures.  It’s  no  longer  feasible  to  ship  tapes  back 
and  forth  after  a  disaster,  or  shuttle  people  around  in  order  to  get 
an  organization  back  up  and  running.  Today,  the  recovery  process 
must  take  place  quickly  and  seamlessly,  while  reducing  the  number 
of  bottlenecks  and  touch  points . 

IDG  Research  Services  found  that  IT  executives  feel  pressure 
to  adjust  practices  and  adopt  new  approaches  and  strategies. 

Nearly  half  (47  percent)  say  theybelieve  that  the  current  state  of 
the  economy  has  a  negative  impact  on  spending,  while  22  percent 
believe  it  undermines  staffing,  and  20  percent  say  it  threatens  the 


Advertising  Supplement 


organization’s  ability  to  maintain  equipment  and  facilities. 

The  current  economic  downturn  is  also  taking  a  toll  on  actual 
business  and  IT  practices.  Nearly  half  of  all  respondents  (47 
percent)  say  that  they  are  now  focused  on  optimizing  current  IT 
infrastructure  and  resources;  42  percent  say  they  are  limiting  new 
hires  to  vital  positions;  35  percent  are  trimming  spending  on  facili¬ 
ties,  equipment  and  other  major  assets;  29  percent  are  delaying  IT 
purchases;  and  24  percent  are  postponing  new  IT  projects. 

In  other  words,  CIOs  and  other  IT  executives  recognize  that 
they  must  squeeze  more  out  of  less.  They  must  maximize  the 
use  of  existing  financial  resources  but  also  focus  on  innovation. 
Eighty-one  percent  are  considering  technology  or  services  that 
will  enhance  their  current  disaster  recovery  or  business  continu¬ 
ity  solution.  In  many  cases,  they  are  compelled  to  tap  into  more 
advanced  storage  and  networking  technologies,  virtualization 
methods,  green  solutions,  and  managed  services. 

These  technologies  are  fundamentally  changing  the  business 
continuity  outlook.  And,  for  organizations  that  use  them  wisely, 
they  are  transforming  the  entire  data  protection  model.  They  are 
making  it  possible  to  achieve  performance  and  cost  efficiencies  that 
weren’t  imaginable  only  a  few  years  ago. 

Virtualization  is  a  perfect  example.  It  allows  companies  to  man¬ 
age  data  across  multiple  servers  or  storage  devices.  As  a  result,  an 
organization  can  balance  resources  and  computing  loads  far  more 
effectively.  This,  in  turn,  boosts  speed,  reliability,  and  availability. 

Anoth  er  tool,  electronic  vaulting,  helps  an  organization  keep 
track  of  multiple  versions  of  the  same  file  or  document— and  store 
all  the  data  securely  within  a  storage  system.  The  backup  process 
occurs  automatically  and  transparently,  which  also  makes  it  appeal  - 


Optimizing  resources  and  limiting  new  hires  are  the  top  two 
strategies  in  place  to  prepare  for  a  potential  economic  recession 


Optimizing  current  IT 
infrastructure/resources 

Limiting  new  hires  to 
vital  positions 

Reducing  spending  on  facilities, 
equipment  and  other  major  assets 

Delaying  new 
technology  purchases 

Postponing  new  IT  projects 

Regulating  inventory 

Formulating  contingency 
plans  in  the  event  of  layoffs 

Other 

Not  sure 


ing  to  smaller  firms  and  organizations  that  possess  limited  IT  re¬ 
sources.  Yet  electronic  vaulting  can  create  its  own  set  of  challenges 
and  obstacles,  including  a  need  for  additional  bandwidth. 

Virtualization  and  electronic  vaulting  are  only  a  start,  however. 
The  IDG  research  found  that  organizations  are  now  taking  a  close 
look  at  a  number  of  business  continuity  tools  and  technologies. 

Just  under  half  (47  percent)  are  considering  storage  replication,  and 
42  percent  are  eyeing  failover  capabilities.  Approximately  one-fifth 
(18  percent)  are  weighing  the  use  of  electronic  replication,  and  one 
in  five  are  considering  outsourcing  business  continuity  to  a  third- 
party  provider. 

Storage  replication— also  referred  to  as  file  replication  and  data 
replication— is  growing  in  interest  because  it  provides  a  managed 
service  that  duplicates  stored  or  archived  data  in  real  time  across  a 
storage  area  network  (SAN).  This  extra  layer  of  redundancy  can  prove 
invaluable  if  a  primary  backup  system  fails  for  any  period  of  time. 

Failover  capabilities  have  moved  into  the  spotlight  as  well. 
Today’s  e-enterprise  requires  a  secondary  system  or  network  that 
takes  over  when  a  primary  system  goes  down  due  to  component 
failure,  disruption,  disaster,  or  any  other  reason.  In  fact,  fault-toler¬ 
ant  servers  and  storage  devices  are  now  key  components  in  build- 
ingabusiness  continuitymodelfocused  on24/7  data  availability . 

Not  surprisingly,  this  quiltwork  of  systems  can  prove  com¬ 
plex— and  organizations  must  choose  from  a  tangle  of  technologies, 
including  virtual  tape  systems,  networked  attached  storage  (NAS), 
Internet  Small  Computer  System  Interface  (iSCSI),  SANs,  and 
continuous  data  protection  (CDP).  They  may  also  need  to  conserve 
space  and  energy  costs.  Green  initiatives  have  moved  beyond  good 
corporate  citizenship  and  into  the  realm  of  essential  tools. 

Perhaps  more  than  anything 
else  there’s  a  need  to  put  every¬ 
thing  into  perspective  and  under¬ 
stand  what  technology  or  solution 
is  best  for  a  particular  situation. 

“There’s  no  simple  approach,” 
says  a  senior  operations  executive 
at  a  large  manufacturing  firm. 

As  a  result,  his  firm  has  turned 
to  a  spate  of  advanced  solutions, 
including  virtualization  and  SAN 
replication.  “When  we  make  buy¬ 
ing  decisions,  we  examine  ROI 
and  calculated  risk  and  put  it  in 
context  with  recovery  time  objec¬ 
tives,”  he  adds.  “Depending  on  the 
data,  recovery  may  take  minutes 


2 


A  Dollars  and  Sense  Approach  to  Business  Continuity 


Advertising  Supplement 


or  days,  but  we  know  when  we  will  have  it  available.  And  then  we 
examine  the  situation  and  the  RTOs  on  an  annual  basis.” 

Finding  a  Path  to  Success 

With  disaster  recovery  and  business  continuity  growing  more 
complex  by  the  day,  line-of-business  and  IT  leaders  face  increas¬ 
ingly  challenging  systems  management  decisions.  Nearly  two 
thirds  of  the  IDG  Research  respon¬ 
dents  (65  percent)  indicated  that  they 
expect  to  deal  with  competing  priori¬ 
ties,  62  percent  cited  a  lack  of  necessary 
funding,  and  four  in  10  say  that  they 
lack  the  required  personnel.  One-third 
face  technology  limitations  and  three  in  10  feel  that  they  have  little 
or  no  management  support. 

As  a  CIO  for  one  of  the  nation’s  largest  banks  explains:  “Our 
budget  is  extremely  constrained  right  now.  We  don’t  have  the  dol¬ 
lars  and  resources  to  cover  all  of  our  needs.  Unfortunately,  disaster 
recovery  and  business  continuity  don’t  receive  the  attention  they 
should.  There’s  no  question  that  the  situation  leaves  us  somewhat 
vulnerable— especially  for  large-scale  disruptions  like  an  influenza 
pandemic,  an  earthquake,  or  tornado.” 

This  financial  ins  titution  isn’t  alone  in  recognizing  that  budget 
constraints  often  compromise  the  ability  to  safeguard  data.  In  fact, 
a  growing  number  of  companies  are  looking  for  ways  to  prepare 
for  a  potential  economic  downturn.  According  to  IDG  Research, 
almost  half  of  all  organizations  are  working  to  optimize  their  cur¬ 
rent  IT  infrastructure,  while  42  percent  are  limiting  new  hires  to 
vital  positions.  Just  over  one-third  (35  percent)  are  reducing  spend¬ 
ing  on  facilities,  equipment  and  other  major  assets,  29  percent 
are  postponing  new  technology  purchases,  and  24  percent  are 
postponing  IT  projects. 

Many  executives  and  IT  managers  recognize  that  an  organization 
is  only  as  strong  as  its  weakest  link.  Getting  a  handle  on  diverse  tools 
and  technologies— as  well  as  network  performance  and  bandwidth- 
can  tax  even  the  most  committed  enterprise.  “Understanding  storage 
tiers  and  establishing  appropriate  RTOs  for  different  departments 
and  units  within  an  organization  is  extremely  important,"  relates  a 
CIO  for  a  leading  transportation  firm.  “There’s  a  clear  need  to  con¬ 
duct  a  cost-benefit  analysis  and  understand  all  the  tradeoffs.” 

This  required  level  of  involvement— along  with  steady  or 
shrinking  budgets— makes  it  more  difficult  for  organizations  to 
deliver  on  the  promise  of  business  continuity.  As  a  result,  a  grow¬ 
ing  number  of  organizations  are  turning  to  a  managed  services 
approach,  which  may  incorporate  virtualization,  electronic  vault¬ 
ing,  failover,  redundancies  and  other  solutions.  These  emerging 


and  evolving  technologies  offered  under  the  umbrella  of  managed 
services— along  with  an  ability  to  re-connect  to  data  from  a  different 
physical  location  following  an  incident— provide  a  less  onerous  and 
often  less  expensive  way  to  plan  for  business  continuity. 

In  fact,  a  managed  services  approach  can  help  an  enterprise 
become  more  strategic  in  its  business  continuity  planning.  An 
outstanding  provider  can  work  with  an  organization  to  develop  an 

effective  disaster  recovery  and  business 
continuity  plan  and  ensure  that  the 
right  equipment  and  workflows  are  in 
place  to  cope  with  a  significant  disrup¬ 
tion.  This  consulting  expertise,  along 
with  the  ability  to  ensure  that  state-of- 
the-art  solutions  are  in  place,  helps  bring  data  storage,  recovery 
services,  network  services,  and  hardware  and  software  under  a 
single  umbrella.  This  approach  can  shift  business  continuity  from  a 
burden  to  a  strategic  advantage. 

Yet,  all  managed  services  providers  are  not  created  equal.  It’s  vital 
to  deal  with  a  company  that  has  the  business  and  technical  expertise 
to  understand  risks  in  context  with  an  industry  and  a  specific  enter¬ 
prise.  It’s  also  essential  to  seek  out  a  services  provider  with  a  robust 
infrastructure,  including  hardwTare,  software,  facilities,  networking 
and  bandwidth,  and  around-the-clock  support.  Account  managers 
and  support  staff  must  understand  an  organization’s  exact  require¬ 
ments  and  constantly  evolving  strategic  objectives.  And  the  company 
must  invest  in  technology  and  training  to  stay  current. 

Adopting  a  Dollars  and  Sense  Approach 

Hardened  facilities,  adequate  network  resources,  ample  band¬ 
width,  the  right  combination  of  hardware  and  software  solutions, 
and  knowledgeable  IT  staff  can  determine  whether  an  organization 
navigates  past  an  incident  unscathed  or  finds  itself  struggling  to  stay 
afloat.  Moreover,  the  ability  to  access  enterprise  systems  and  data 
after  a  disaster  or  outage  can  separate  success  from  failure. 

In  the  end,  business  continuity  planning  is  a  formidable  task  but 
one  that  every  organization  must  address— particularly  in  an  era  of 
rapidly  shrinking  RTOs  and  RPOs.  Although  stagnant  budgets  and 
a  tough  economy  make  the  task  more  onerous,  organizations  that 
keep  their  eye  on  core  strategic  issues,  create  a  flexible  and  scalable 
environment,  use  emerging  technologies  and  managed  services 
effectively,  and  avoid  complacency  are  poised  for  far  greater 
success  and  maximum  ROI.  In  difficult  economic  times,  nothing 
less  will  suffice. 

For  more  on  business  continuity,  including  the  research 
report  mentioned  in  this  article,  please  visit  the  SunGard 
solution  center  at  www.cio.com/solution-centers/sungard. 


A  managed  services  approach  can 
help  an  enterprise  become  more 
strategic  in  its  business  continuity 
planning. 


A  Dollars  and  Sense  Approach  to  Business  Continuity 


3 


SunGard  Availability  Services  help  your  business  move  forward  with 
the  most  advanced  and  widest  choice  of  information  availability  options 
in  the  industry 

From  virtualization  to  hot  sites  to  replication  and  vaulting— SunGard  Availability 
Services  does  it  all.  And  it’s  all  we  do.  That  kind  of  focus  helps  ensure  high  availability 
of  data,  applications  and  systems  and  fits  your  needs  and  budget  precisely. 

When  we  partner  with  you,  you  worry  less  about  the  road  ahead.  Here’s  why:  a 
track  record  of  100%  successful  recoveries;  over  60  facilities  with  redundant 
power  connected  to  SunGard’s  secure  global  network;  and  more  than  20,000  end- 
user  positions  in  facilities  across  North  America  and  Europe.  SunGard  Availability 
Services — the  information  availability  solution  for  businesses  that  must  run  non-stop. 
Keep  moving,  call  1  -800-468-7483  or  visit  www.availability.sungard.com. 


SUNGARD' 

Availability  Services 

Keeping  People 
and  Information 
Connected.® 

1 

Ith  Annual 


DIGITAL  WORLD 


(4  M 
&&*&*#** 


'■oft*®#* 


*1  n 


eptember  8-10, 2008 
iilton  Anaheim 
naheim,  California 

rww.CSOonline.com/digitalidworld08/info 


'  M 

produced  by 

CSO 


Join  us  at  the  Digital  ID  World  Conference  and  walk  away  with  the  necessary  foundation 
and  in-depth  knowledge  for  succeeding  in  all  phases  of  your  "Identity  Big  Bang" 


jital  ID  World  is  your  source  for  the  straight  talk,  hard-won  lessons,  and  practical  insight  derived  from  real-world  deployments.  Our 
:us  is  simple:  putting  enterprise  IT  professionals  onstage  to  give  you  their  unvarnished  views  on  what  it  took  to  achieve  success  with 
ir  identity  deployments.  Digital  ID  World  is  the  industry  event  for  learning  how  to  help  manage  your  business  with  identity. 


Dies  being  covered  at  this  one  of  a  kind  event  include: 

|  •  GRC  and  Identity 

•  The  growing  usage  of  user-centric  identity  technologies 

•  Securing  the  perimeter  with  identity 

•  Using  identity  for  application  integration  and  virtualization 

•  Identity  and  SOA 

•  Achieving  "anywhere  access" 

•  The  convergence  of  physical  and  logical  access  control 


•  How  to  automate  policy  enforcement 

•  Understanding  entitlement  management 

•  Untangling  the  mess  of  role  management 

•  Integrating  the  security  of  network  and  application 
layers  with  identity 

•  Identity's  role  in  your  Sharepoint  deployment 

•  Moving  past  point  to  point  federation 

•  And  so  much  more... 


gister  now  for  the  7th  annual  Digital  ID  World  Conference  and  take  advantage  of  the  early  registration  discount  by  referencing 
ority  Code  AD  and  attend  the  full  conference  at  the  special  price  of  only  $995.  You  must  register  by  August  29th  to  take  advantage  of 
s  special  offer. 


For  more  detailed  information  please  visit 
www.CS0online.com/digitalidworld08/info  or  call  800-366-0246  to  register. 


>>  BRIEFING 


The  iLoch  is  aimed  at  smaller  companies  that  rely  on  mechani¬ 
cal  locks  and  can  be  programmed  anywhere  from  any  Web 
browser,  says  Gavin  McLintock,  founder,  CEO  and  CTO  of 
Lochisle. 

“We’re  just  making  it  a  whole  lot  cheaper,  easier, 
quicker  and  more  convenient  to  program  access  con¬ 
trol  and  look  at  the  access  logs,”  he  says. 

One  analyst  says  the  iLoch  represents  part  of  a  shift 
in  the  access  control  market  to  Internet-based  systems, 
“They’re  in  the  right  area.  I  haven’t  come  across  some¬ 
body  else  doing  what  they’re  doing,”  says  Niall  Jenkins, 
an  analyst  at  IMS  Research  in  Wellingborough,  U.K. 

Jenkins  noted  that  access  control  companies  don’t 
usually  target  small  and  midsize  businesses. 

-Michael  Fitzgerald 


m  . 


PHYSICAL  SECURITY 

Lock  and  Download 


Tired  of  having  to  walk  to  the  door  to  adjust 
the  lock?  Now  you  can  do  it  from  the  Web 


Lochisle,  an  Ottawa-based  company  that  aspires  to 
“change  the  locks  of  the  f  uture,”  has  released  iLoch, 
a  Web-based  access  control  program  for  doors.  It’s 
I  easy  enough  for  smal  l  businesses  and  even  hom¬ 
eowners  to  use  in  place  of  mechanical  locks  and  keys. 

Lochlsle’s  hardware  is  based  on  the  (Button,  an 
embedded  system  from  Dallas  Semiconductor. 


BYTHE  NUMBERS  BRAND  MANAGEMENT 


500,000 

Instances  of  brand 
abuse  per  week 

402,882 

Number  of  brand- 
jacking  cases 
that  involved 
cybersquatting 

408 

Number  of  orga¬ 
nizations  phished 
in  Q4  2007 

102 

Number  of  new 
organizations 
targeted  by  phish- 
ers  in  Q1 2008 

14 

Number  of  organi¬ 
zations  that  account 
for  90  percent  of 
all  phishing  URLs 

60% 

Level  of  phishing 
attacks  against 
auction  brands 
in  01 2008 

Source:  MarkMonitor’s 
Spring  2008  Brandjacking 
Index 


Why  Travel  Brands  Are  Getting  Hijacked 

Digital  outlaws  are  hijacking  the  brands  of  online  travel 
companies  and  airplane-parts  manufacturers.  Who's  next? 


Online  travel  sites  and  airplane-parts  manu¬ 
facturers  are  among  the  biggest  victims  of 
cybersquatting,  false  association,  pay-per- 
click  abuse  and  domain  kiting,  according  to 
security  vendor  MarkMonitor. 

The  vendor  points  to  the  increased  risk  in  those 
business  sectors  in  its  most  recent  “Brandjacking 
Index,”  a  monthly  report  highlighting  phishing  scams 
in  which  legitimate  brand  names  are  hijacked. 

The  findings  also  seem  to  confirm  that  the  bad 
guys  are  using  search  engine  optimization  (SEO) 
tricks  to  get  their  bogus  sites  higher  in  the  search 
rankings. 

Meanwhile,  the  vendor  found  that  cybersquat¬ 
ting-registering,  trafficking  in  or  using  a  domain 
name  with  bad-faith  intent  to  profit  from  the  good¬ 
will  of  a  trademark  belonging  to  someone  else-is  the 


most  pervasive  form  of  brandjacking,  growing 
by  40  percent  in  the  first  quarter  of  2008. 

Dancho  Danchev,  an  independent  security 
researcher  and  consultant  based  in  the 
Netherlands,  said  the  MarkMonitor  research 
reflects  much  of  what  he  has  been  monitoring 
in  recent  months. 

Danchev  has  seen  evidence  that  phish- 
ers  are  creating  imposter  brands  by  using 
automated  tools  that  crawl  the  Web  looking 
for  legitimate  sites  and  once  they  find  suitable 
candidates,  then  create  illegitimate  duplicate 
sites.  He  adds  that  scams  are  getting  more 
sophisticated  due  to  the  localization  techniques.  For 
instance,  crooks  are  starting  to  register  the  domains 
in  a  native  language  to  attract  local  traffic. 

MarkMonitor  Chief  Marketing  Officer  Fred 
Felman  says  he’s  not  surprised  by  the  explosion  of 
online  travel  scams  designed  to  lure  shoppers  from 
legitimate  e-commerce  sites.  In  these  cases,  the 
scammers  create  bogus  travel  sites  that  appear 
legitimate.  Visitors  then  offer  up  their  credit  card 
numbers  and  other  personal  details,  thinking  they 
are  booking  a  trip. 

“The  criminal  is  always  thinking  about  where 
the  money  is,  so  it  makes  sense  they  would  go  after 
travel  sites,”  he  says.  “We  all  travel  and  are  frus¬ 
trated  by  the  high  cost  of  airline  tickets  and  hotel 
rooms,  so  we’re  constantly  looking  for  bargains.” 

-Bill  Brenner 


14  www.csoonline.com  July/August  2008 


Photo  by  AP/Wide  World  Photos 


Vance  Uniformed  Protection  is  now  Garda 

A  new  name  for  the  security  team  you  know  &  trust 


Consistent  service  Experienced  team  Exceptional  value  Reduced  risk  Peace  of  mind 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Strict  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements  yield 
consistent,  reliable  services  that  reduce  risk  and  deter  criminal  activity. 
Now  part  of  Garda,  Vance  Uniformed  Protection  continues  to  deliver 
unsurpassed  value,  maximizing  client  budgets  by  offering  superior 
security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women— 
from  the  company’s  seasoned  management  team  to  its  experienced 
security  officers— provide  exceptional  value  and  service  with  a  total 
commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs andthesame 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


GARDA 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgade  your  security  program,  gardasecurity.com 


FORMERLY  VANCE 


>>  BRIEFING 


TRAVEL  PROTECTION 


LIMITS  OF  THE  LAW 

Notification  Laws 
Not  Lowering 
ID  Theft 

Most  states  have  data  breach 
disclosure  laws,  but  it  doesn’t 
seem  to  be  making  a  difference 

Over  the  past  five  years,  44  U.S.  states  have 
adopted  data  breach  notification  laws. 

But  has  it  actually  cut  down  on  identity 
theft?  Not  according  to  researchers  at 
Carnegie  Mellon  University,  which  published  a 
state-by-state  analysis  of  data  supplied  by  the 
U.S.  Federal  Trade  Commission  (FTC). 

Sasha  Romanosky,  a  PhD  student  at  Carnegie 
Mellon  and  one  of  the  paper’s  authors,  led  a 
state-by-state  review  of  FTC  identity  theft  com¬ 
plaints  filed  between  2002  and  2006  to  see  if 
there  was  a  noticeable  impact  on  complaints  in 
states  that  had  adopted  data  breach  notification 
laws  such  as  California’s  SB  1386,  which  compels 
companies  and  institutions  to  notify  state  resi¬ 
dents  when  their  personal  information  has  been 
lost  or  stolen. 

Since  1999  the  FTC  has  invited  identity  theft 
victims  to  log  information  about  their  cases  on 
its  website.  The  data  is  then  made  accessible  to 
law  enforcement,  which  uses  the  information  to 
help  analyze  crime  trends.  A  lot  of  people  com¬ 
plain,  but  this  represents  only  a  subsection  of  all 
identity  theft  cases.  In  2006,  for  example,  the 
FTC  logged  246,035  identity  theft  complaints, 
while  a  Javelin  Strategy  survey  estimated  that 
there  were  8.9  million  ID  theft  victims  that  year. 

Looking  at  the  monthly  complaint  records, 
the  researchers  didn’t  find  any  statistically 
significant  effect.  There  may  be  good  reasons  for 
this.  Many  consumers  ignore  breach  notifica¬ 
tion  letters,  and  Romanosky  believes  security 
firms  are  still  not  doing  enough  to  protect  data 
themselves.  -Robert  McMillan 


SECURITY  TIPS  FOR 
OLYMPICS  VISITORS 


Going  to  Beijing  for 
the  2008  Olympics? 
Better  mind  your  data. 

Like  the  Gold  Rush  of  1848,  the 
Beijing  Olympics  of  2008  will 
result  in  the  mining  of  informa¬ 
tion  and  the  panning  for  data. 
Here’s  what  to  do  to  protect  your 
data  (whether  traveling  to  Beijing  or 
anywhere  else): 

■  Encrypt  all  corporate  devices,  if 
you  must  bring  them. 

■  If  you  cannot  encrypt  your  hard 
drive,  remove  sensitive  data 
prior  to  going. 

■  Establish  BIOS-level  passwords; 
■  Never  let  the  device(s)  out  of 
your  sight.  You  must  treat  them 
like  a  wallet  and  keep  them  with 
you. 

■  Never  leave  them  in  your  hotel 
room  or  office). 

■  If  you  must  bring  flash  drives, 
remove  sensitive  data  and  then 
encrypt  them. 

■  Do  not  bring  MP3  players. 

■  Remember  that  digital  cameras 
come  with  storage  and  can  be 
plugged  into  your  laptop;  if  you 
must  leave  it  in  your  hotel,  take 
the  storage  card  with  you. 


Cell  phones-keep  with  you  at 
all  times;  remove  sensitive  data; 
password-lock  and  encrypt 
where  possible;  do  not  bring 
your  SD  chips. 

Use  encryption  (VPN/SSL  VPN) 
in  all  connections. 

Do  not  connect  to  the  Internet 
in  open  areas  (kiosks,  cafes,  etc.). 
Do  not  use  wireless  connections 
unless  you  absolutely  must. 
Ensure  that  all  AV  and  firewalls 
are  updated  on  your  laptops  and 
cell  phones. 

Ask  your  IT  security  organiza¬ 
tion  to  establish  anomaly-based 
intrusion-protection  systems  on 
your  laptops. 

If  any  of  your  devices  are  confis¬ 
cated  and  then  returned  to  you, 
don’t  use  them  again. 

To  avoid  most  of  this  pain,  just 
don’t  bring  the  stuff. 

Drop  off  the 
grid  for  a  few  days 
and  enjoy  the 
games. 

-Jeff  Bardin 


16  www.csoonline.com  July/August  2008 


Illustration  by  Corbis;  photo  by  AP/Wide  World  Photos 


When  you’re 
the  leader  in 
physical  access 
control, 


With  HIO!s  Crescendo™  line,  the  world  leader 
in  physical  access  can  now  put  powerful 
network  access  control  on  the  same  credential 

HID  is  known  the  world  over  for  the  innovative  technology  and  unmatched 
reliability  of  our  access  control  cards  and  readers.  Now,  our  Crescendo 
products  bring  the  same  expertise  to  controlling  access  to  your  network 
-  and  the  technology  can  be  combined  with  your  existing  physical  access 
card.  When  it  comes  to  accessing  your  data,  the  Microsoft- 
proven  security  and  elegant  simplicity  of  HID’s  Identity  Lifecycle 
Crescendo  solutions  make  them  the  logical  choice.  Manager 2007 


To  request  a  Crescendo  Evaluation  Kit,  visit  WWW.hidglobal.com/crescendo 


>>  BRIEFING 


halfofll.S.  retailers  have 
been  hit  with  some  kind  of 
information  security  attack, 
only  a  small  percentage  of 
them  have  actually  reported 
breaches  to  their  customers. 

50 

Number  of  retail¬ 
ers  contacted 
by  Gartner 

21 

Number  ofthem 
admittingtoa 
■  data  breach 

3 

Numberofthose 
who  disclosed 

1  the  incidents 
to  the  public 

44 

Number  of  states 
that  require  com¬ 
panies  to  disclose 
data  breaches 
(as  of  June  2008) 

DATA  BREACHES 


Loose  Lips, 
Pink  Slips 

Speaking  candidly  about  your 
employer’s  security  weaknesses 
can  be  career-limiting,  as  one 
TJX  employee  discovered 

A  low-level  TJX  employee  lost  his  job  in 
May  for  speaking  in  public  about  infor¬ 
mation  security  problems  he  uncovered 
while  working  for  the  company. 

The  employee,  Nick  Benson,  is  a  University 
of  Kansas  student  who  worked  at  T.J.  Maxx’s 
Pine  Ridge  Plaza  store  in  Lawrence,  Kan,  In 
an  e-mail  interview,  he  said  he  was  fired  for 
violating  corporate  policy  by  disclosing  propri¬ 
etary  information. 

TJX  is  sensitive  about  information  security 
after  being  the  victim  of  a  massive  data  theft, 


apparently  made  possible  by  poor  security 


Source:  Gartner 


on  the  company’s  wireless  networks.  That 


breach,  which  compromised  94  million  credit 


and  debit  card  accounts,  has  cost  the  company 
tens  of  millions  of  dollars  in  legal  settlements. 

Benson,  also  known  by  his  hacker  name, 
Cryptic  Mauler,  is  a  frequent  poster  to  com¬ 
puter  security  discussion  groups  such  as  Full 
Disclosure  and  the  Sla.ckers.org  Web  forum, 
where  he  criticized  the  company’s  password 
policy,  its  server  security  settings  and  the  com¬ 
petence  of  the  technicians  who  install  firewalls 
at  the  company’s  stores. 

“I  never  use  anything  but  cash  at  their 
stores,  but  it’s  hard  to  sleep  at  night  know¬ 
ing  the  same  network  stores  my  employee 
information,”  he  wrote  on  Aug.  22, 2007.  “For 
all  I  know  that  information  has  already  been 
picked  clean  by  the  hackers  and  [the]  company 
could  have  swept  it  under  the  rug.” 

Although  Benson  didn’t  disclose  anything 
that  would  have  been  news  to  a  “vaguely 
smart”  criminal,  he  did  make  a  mistake  by  not 
disclosing  the  problems  he’d  found  through 
all  the  proper  channels,  says  Robert  Hansen, 
the  CEO  of  5ectheory.com  and  owner  of  the 
Slackers.org  site.  He  first  blogged  about  Ben¬ 
son’s  termination  in  May. 

Hansen  says  he  felt  bad  for  Benson,  as  did 
many  of  the  contributors  to  his  website.  “He’s  a 
young  guy,”  he  says.  “He  didn’t  know  the  rules.” 

It’s  an  all-too-common  story  in  the  informa¬ 
tion  security  industry,  Hansen  said.  “When 
people  are  new  to  information  disclosure... 
they’re  idealistic  and  young  and  they  tend  to 
make  mistakes,”  he  says.  “A  good  chunk  of  the 
people  who  sympathize  with  him  have  had 
almost  exactly  the  same  thing  happen  to  them.” 

Benson  said  he  reported  the  issues  to  his 
store  manager  and  the  company’s  district  loss- 
prevention  manager,  but  no  immediate  action 
was  taken. 

Benson  had  expressed  concern  that  he 
might  be  fired  for  reporting  the  problem.  “I 
don’t  wantto  lose  my  job  for  reporting  this,” 
he  wrote.  “Unfortunately  anonymously  report¬ 
ing  this  will  not  work,  since  it  would  require 
me  giving  the  store  location  which  would  then 
easily  zero  me  out.” 

Apparently  TJX  zeroed  Benson  anyhow, 
identifying  him  from  the  IP  address  he  used  to 
post  his  comments  to  the  website,  Hansen  says. 

The  company  met  with  him  and  asked  him 
to  explain  all  the  security  issues  he’d  found. 
After  that,  he  was  “fired  on  the  spot,”  he  says. 

Benson  says  the  company  threatened  to 
take  legal  action  against  him  if  he  talks  any 
more  about  the  company’s  security  problems. 

-Robert  McMillan 


18  www.csoonline.com  July/August  2008 


Photo  by  AP/Wide  World  Photos 


Network  Security 

TRIGEO  SIM"  IS  A  UNIQUE  NETWORK  DEFENSE  TECHNOLOGY. 


■ill  Hnirlf^rfi 


(But  don't  take  our  word  for  it  — 
look  at  what  our  customers  are  saying.) 


t  This  is  by  far  the  best  SEIM  system  I've  ever  seen,  let  alone  owned.  It's  everything  it  was 
represented  to  be  and  more.  Everything  about  my  experience  including  purchase, 
installation,  support  and  training  has  been  positive  which  is  unusual  for  a  technology 
product  and  company. 

I  never  imagined  security  event  management  could  be  so  easy  (even  fun).  I'm  getting 
information  in  seconds  that  previously  would  have  taken  hours  or  days.  J  5 

-  Windsor  Management  Group 

Only  TriGeo  SIM  blends  real-time  log  management,  analysis,  event  correlation  and 
end-point  security  with  a  unique  active  response  technology.  The  result  is 

unprecedented  network  visibility,  security  and  control. 

Join  the  hundreds  of  TriGeo  SIM  customers  defending  their 
networks  and  passing  their  PCI,  SOX,  GLBA,  HIPAA,  NCUA 
(and  more)  audits  with  outstanding  ratings! 


GET  TRIGEO 
GAIN  VISIBILITY; 


MAGAZINE 

BEST  OF 


2005 

as 


MAGAZINE 

BEST  OF 


2006 


MAGAZINE  MAGAZINE 


AWARDS  AWARDS 


WINNER  WINNER 

Honored  in  the  U.S.  Honored  in  the  U.S. 


Seeing  is  believing 

■ 

Find  out  why  this  award-winning  technology  is  so 
highly  rated  by  reviewers  and  loved  by  customers. 

Give  us  a  call,  or  register  online,  and  join  us  for  a  live 
presentation  where  you'll  see  TriGeo  SIM  in  action 
under  real-world  conditions.  Watch  as  we  capture, 
correlate  and  respond  to  network  attacks  and  policy 
violations  --  all  in  real-time.  Register  today  at 

www.trigeo.com  or  call  1-866-664-9292. 

. 


VM 


©  2008  TriGeo  Network  Security,  Inc.  All  rights  reserved. 
TriGeo  SIM  is  a  trademark  of  TriGeo  Network  Security,  Inc. 


TOOLS,  TECHNOLOGIES  AND  TACTICS 

By  Stacy  Collett 


How  to  Evaluate  Business 
Continuity  Consultants 

Five  questions  to  help  weed  out  the  posers  from  the  real  deal 


Siemens  IT  Solutions  and  Ser¬ 
vices  always  had  a  solid  busi¬ 
ness  continuity  plan  in  place. 
But  it  wasn’t  until  9/11  that  busi¬ 
ness  continuity  planners  truly 
understood  what  was  lacking. 

“We  probably  had  the  larger  things  cov¬ 
ered,  but  on  a  moment’s  notice  we  were  not 
as  well  put  together  as  we  could  have  been,” 
says  Debbie  Hoppenjans,  manager  of  busi¬ 
ness  continuity  planning.  “It  made  us,  as  a 
company,  really  take  a  step  back  and  look  at 
what  we  would  do.” 

So  the  company  began  its  search  for 
business  continuity  consulting  services. 
But  it  wasn’t  exactly  thrilled  with  most  of 
its  prospects. 

“There  seem  to  be  a  lot  of  them  out  there, 
and  from  our  experience  a  lot  of  them  are 
not  very  good,”  says  CISO  Dave  Bixler. 

Overall,  complaints  range  from  a  lack 
of  knowledge  about  the  business  and  mis- 
communication,  to  not  understanding  the 
scope  of  the  challenge. 

“A  lot  of  times  the  [consulting  firms] 
are  so  dead-set  on  upselling,”  Hoppenjans 
says.  “Any  BCP 101  person  will  tell  you  that 
we  have  to  document  our  plans  up  to  today. 
So  many  times  you  find  companies  trying 
to  help  you  plan  for  years  to  come.”  If  they 
don’t  know  your  business  and  what  you’re 
going  through,  “how  do  you  know  this  is 
where  we  need  to  go  ?”  she  adds. 

The  problem  can  be  traced  to  the  days 


following  9/11,  says  Russell  Wooldridge, 
marketing  manager  at  the  Disaster  Recov¬ 
ery  Institute  International  in  Washington, 
D.C.  Many  security  firms  simply  added 
business  continuity  to  their  list  of  services 
to  meet  companies’  demands,  but  offered 
little  training  and  experience  to  back  up 
their  claims,  he  says. 

Business  continuity  services  represent 


a  $3  billion  to  $4  billion  business,  accord¬ 
ing  to  Gartner.  Some  28  percent  of  compa¬ 
nies  manage  their  business  continuity  plan 
with  the  assistance  of  an  external  provider, 
according  to  a  survey  of  254  senior  execu¬ 
tives  by  consulting  firm  KPMG.  There  is 
a  higher  reliance  on  external  support— 38 
percent— in  midsize  enterprises,  and  the 
financial  services  sector  showed  the  highest 


20  www.csoonline.com  July/August  2008 


Photo  by  Corbis 


What  are 
you  willing 

to  risk? 


s  J1 


Today's  security  challenges  can  be  international  in  nature,  domestic, 
or  even  from  within.  Yet,  even  the  most  immediate  issues  you  face  can  be 
mitigated  with  the  right  education,  tools,  planning,  and  implementation — the 
kind  of  knowledge  that  you'll  discover  at  ASIS  2008,  the  recognized  world  leader  when 
it  comes  to  providing  the  security  industry  with  hands-on  resources. 


For  security  professionals  looking  to  manage  risk,  the  ASIS  Exhibit  Hall  showcases  the  products  and 
services  that  attract  more  than  23,000  solution  seekers  every  year.  Explore  the  vast  hall  and  uncover  the 
latest  in  security,  including  200+  new  market  introductions.  Plan  to  get  face-to-face  with  experts  primed 
to  discuss  your  needs  and  challenges. 

From  wall-to-wall  innovations  to  an  advanced  education  second  to  none,  ASIS  2008  delivers  integrated 
solutions  that  yield  the  highest  levels  of  protection  with  the  least  amount  of  risk.  For  more  information  or 
to  register,  visit  www.asisonline.org/asis2008  or  call  1-703-519-6200. 


Three  years  running,  named  one  of  the  50  fastest 
growing  tradeshows  in  North  America. 


ASIS  INTERNATIONAL  2008 

54th  Annual  Seminar  and  Exhibits 
September  15-18,  2008  I  Atlanta,  GA 
www.  asisonline.  org 


>>  TOOLBOX 


BUSINESS  CONTINUITY  CONSULTANTS 

BC  planning  consulting  services:  consulting  services  to  help  firms 
conduct  a  business  impact  analysis,  local  threat  assessment  and 
actual  BC  plan  development 

The  market  breaks  down  into  the  following  types  of  providers: 

■  Management  consulting  firms  (i.e.,  Deloitte  &  Touche,  Accenture) 

■  Technology  vendors  (i.e.,  HP,  IBM,  EMC) 

■  Managed  service  providers  (i.e.,  EDS,  SunGard,  and  even 
telecommunication  providers  such  as  AT&T,  Qwest  in  U.S.,  etc.). 

■  Specialized  BCP  firms  (these  tend  to  be  small,  boutique 
consulting  firms) 

There  are  numerous  regional  and  boutique  consulting  firms. 

For  a  longer  list,  you  can  check  out  DRJ.com’s  vendor  catalog 
at  www.drj.com/vendor/drj5con.html.  You  can  also  find  a  list  of 
consultants  at  www.continuitycentral.com/consultants.htm. 


preference  for  external  service  providers  at 
41  percent. 

Companies  have  taken  giant  steps  in 
business  continuity  preparations,  says  Ben 
Thornton  of  Corus,  a  disaster  recovery  and 
business  continuity  consulting  firm.  Larger 
companies  are  forming  their  own  DR  and 
BC  staff  and  certifying  their  skills  through 
disaster  recovery  groups  like  The  Business 
Continuity  Institute,  DRII  and  the  Busi¬ 
ness  Resilience  Certification  Consortium, 
to  name  a  few. 

“We’re  not  out  there  as  evangelists  any¬ 
more  trying  to  convince  people  to  do  this. 
There’s  now  a  genuine  understanding  that 
business  continuity  [planning]  is  a  part  of 
business,  and  that’s  good,”  Thornton  says. 
While  that  creates  more  competition  for 
consulting  firms,  these  in-house  groups 
still  need  coaching,  assistance  and  “spot 
help,”  he  adds. 

Business  continuity  planning  consul¬ 
tants  include  large  firms  like  Accenture, 
Deloitte,  PricewaterhouseCoopers,  EDS, 
Booz  Allen  Hamilton  and  IBM  Global  Ser¬ 
vices.  There  are  also  dozens  of  boutique 
consulting  firms— regional  and  niche  play¬ 
ers  that  just  focus  on  business  continuity 
planning. 

How  can  you  be  sure  that  the  consulting 
firm  has  the  expertise  to  fill  in  your  business 
continuity  gaps?  Here  are  five  questions  to 
ask  when  choosing  the  best  business  conti¬ 
nuity  consultant  for  your  company. 

1.  Do  you  know  what  you  need? 

GOOD  BUSINESS  CONTINUITY  plan¬ 
ning  starts  with  understanding  what  your 
exposures  are  and  making  a  good  decision 
on  recovery  strategy.  If  you’ve  got  a  solid 
strategy,  developing  your  plans  becomes 


very  straightforward.  The  solution  may  not 
be  in  place,  but  it’s  on  the  way.  Now  you  can 
develop  plans  to  execute  that  strategy. 

“The  most  critical  part  of  the  whole 
process  is  your  business  impact  analysis, 
including  the  risk  assessment,”  Hoppenjans 
says.  “That’s  where  you  need  to  spend  most 
of  your  time.  If  your  consultant  tells  you  dif¬ 
ferently,  [that’s  a  problem].  Business  impact 
analysis  is  the  key  to  your  entire  plan.” 

Consultants  should  also  perform  a 
recovery  option  study  to  determine  these 
priorities.  Some  consultants  will  perform 
a  business  impact  analysis  and  identify  the 
exposures  and  impacts  to  expect  in  a  disas¬ 
ter.  But  they  won’t  describe  how  to  solve 
those  problems.  Make  sure  the  consultant  is 
willing  to  outline  your  recovery  options  and 
the  amount  of  time  each  option  will  take. 


2.  Will  the  firm  present  several 
options? 

IF  YOU  GO  to  a  company  that  provides  big- 
name  technology  solutions  and  consulting 
services,  “why  would  it  surprise  you  what 
their  answer  should  be?”  Thornton  says. 
There  are  a  lot  of  options  out  there,  and 
consultants  should  present  several  options 
for  business  continuity  solutions. 

“When  it  comes  to  business  continu¬ 
ity,  it’s  about  planning  and  services,  and 
it  should  be  less  about  technologies,”  says 
Stephanie  Balaouras,  analyst  at  Forrester 
Research. 

“It’s  your  strategy  for  responding  to  busi¬ 
ness  disruption  and  covers  people,  facilities 
and  technologies.  It  covers  everything  from 
pandemic  planning  to  ‘Microsoft  Exchange 
is  down.’” 


“When  it  comes  to  business 
continuity,  it’s  about 
Dlanning  and  services,  and 
t  should  be  less  about 
technologies.” 

-STEPHANIE  BALAOURAS,  ANALYST 
AT  FORRESTER  RESEARCH 


22  www.csoonline.com  July/August  2008 


WHAT  SHOULD  A 

BUSINESS  CONTINUITY 

CONSULTANT  KNOW? 

■  Project  initiations 
management 

■  Risk  evaluations  control 

■  Business  impact  analysis 

■  Developing  business 
continuity  strategies 

■  Emergency  response 
S  operations 

■  Developing  S  implementing 
business  continuity  plans 

■  Awareness  programs 
Straining 

■  MaintainingS 
exercising  BC  plans 

■  Crisis  communications 

■  Coordination  with 
external  agencies 

SOURCE:  DRI  International 


Firms  that  offer  business  continuity 
planning  and  consulting  services  should  be 
able  to  help  you  do  a  business  impact  analy¬ 
sis,  identify  critical  business  processes,  map 
all  the  dependencies  and  define  how  criti¬ 
cally  you  need  them,  and  what  the  impact 
would  be  on  revenue.  “When  you  under¬ 
stand  that,  you  can  build  a  business  case 
and  invest  in  the  right  solutions,”  she  adds. 

Consultants  should  first  conduct  a 
threat  assessment  and  then  put  a  plan 
together.  “It’s  a  huge,  in-depth  process” 
that  needs  regular  reviewing  and  updating, 
Balaouras  adds. 

3.  Are  the  consultants  certified 
in  business  continuity 
planning? 

CERTIFICATION  ENSURES  THAT  busi¬ 
ness  continuity  consultants  are  well-versed 
in  all  aspects  of  BC  planning.  At  Siemens, 
certification  is  preferred,  not  required,  “but 
I  would  recommend  it  to  anyone,”  Hoppen- 
jans  says. 

Nationally  there  are  about  4,500  cer¬ 
tified  business  continuity  consultants, 
according  to  DRI  International,  a  nonprofit 
business  continuity  certification  group 
based  in  Washington,  D.C.  “Most  of  the 


ELEMENTS 

OF  A  BUSINESS 
CONTINUITY  PLAN 

Service:  defining,  real-time 
monitoring  and  management 
of  performance  criteria  tied  to 
business  service  goals. 

Availability:  the  design  and 
implementation  of  resilient 
and  scalable  technology 
infrastructure  underpinned  by 
robust  IT  management  prac¬ 
tices  focused  on  delivering 
information  at  the  required 
service  levels. 

Recoverability:  the  design 
and  implementation  of  tech¬ 
nology  solutions  to  deliver 
rapid  restoration  of  informa¬ 
tion  availability 

SOURCE:  KPMG 


major  consulting  firms  have  [certified  BC 
consultants],  as  well  as  about  14  percent  of 
independent  BC  consultants,”  says  A1  Ber¬ 
man,  executive  director. 

A  survey  by  BC  Management,  a  business 
continuity  executive  search  firm  in  Hunting- 
ton  Beach,  Calif.,  showed  that  75  percent  of 
the  respondents  were  certified,  while  25  per¬ 
cent  were  not.  Business  continuity  certifica¬ 
tion  bodies  include  BCI,  DRII,  BRCCI,  the 
University  of  Virginia  and  Strohl  Systems. 
Specialized  certifications  are  available  for 
emergency  management,  risk  management, 
audit,  security  and  technology. 

DRI  International  offers  certification 
specifically  for  business  continuity  consul¬ 
tants  and  vendors  to  ensure  that  practition¬ 
ers  understand  professional  practices. 

Each  subject  area  includes  the  profes¬ 
sional’s  role  within  the  area  and  an  outline 
of  recommended  knowledge  within  the 
subject  area.  The  10  subject  areas  cover 
topics  such  as  risk  evaluation  and  con¬ 
trol,  business  impact  analysis,  emergency 
response  and  operations,  awareness  pro¬ 
grams,  training,  crisis  communication  and 
coordinating  with  external  agencies. 

Ask  if  the  consultants  you’ll  be  working 
with  are  certified  in  business  continuity 
planning. 


4.  Are  they  willing  and  able  to 
prioritize? 

YOU  CAN  SAVE  a  lot  of  money  by  evaluat¬ 
ing  your  recovery  priorities,  Thornton  says, 
adding,  “If  you  need  systems  back  up  in  six 
hours— you  can,  but  you’ll  have  to  throw  a 
lot  of  money  into  that.  Instead,  consultants 
should  be  asking,  ‘Do  you  need  that?  What 
can  you  wait  a  couple  of  days  on,  or  a  week 
on?’  and  establish  priorities.” 

Perhaps  only  20  percent  of  the  total 
environment— the  most  vital  systems  and 
applications— must  recover  in  minutes  or 
hours.  “I  can  do  that  more  economically 
than  the  whole  thing,”  Thornton  says.  Dif¬ 
ferent  strategies  can  be  deployed  for  lower 
priorities.  “If  I’ve  got  three  days,  I  can 
build  that  system  up  very  quickly— that’s 
a  lot  less  expensive  than  equipment  that  is 
standing  there  ready— not  to  mention  the 
added  cost  of  keeping  that  equipment  cur¬ 
rent  and  fresh,”  he  adds. 

5.  Do  they  offer  solutions  to  fit 
your  budget? 

NEARLY  ONE-QUARTER  OF  companies 
surveyed  by  KPMG  have  not  been  able  to 
justify  the  costs  of  business  continuity  plans. 
Most  of  these  companies  are  focused  in  the 
large  enterprise  with  500  to  999  employees, 
according  to  the  study. 

Consultants  should  know  your  busi¬ 
ness  well  enough  to  understand  budget 
constraints  and  your  immediate  business 
continuity  needs. 

“We  let  the  business  [units]  decide  what 
they  want  to  spend  and  help  coordinate 
based  what  the  numbers  tell  us,”  Hop- 
penjans  explains.  “We  let  [business  impact 
analysis]  data  tell  us  what  each  department 
is  doing  as  far  as  BC  planning,  what  their 
risks  and  what  their  vulnerabilities  are,  and 
they  decide  what  to  spend.  Some  responses 
may  be  customer-  or  contract-driven.” 

With  all  of  their  questions  answered, 
Siemens  IT  Solutions  and  Services  found 
a  qualified  BC  consulting  firm  and  has 
worked  with  the  firm  since  2002. 

“You  can  never  know  how  prepared  you 
are  until  something  happens,”  Hoppenjans 
says.  “But  I  think  we’re  well-equipped  with 
the  right  tools  to  guide  us  through.”  ■ 

Stacy  Collett  is  a  freelance  writer  based  outside 
Boston.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


July/August  2008  www.csoonline.com  23 


Q&A:  RISK  MANAGEMENT 


Endless 


For  Bruce 
Schneier, 

the  security 
discipline 
still  evolves 
and  expands. 
Now  he’s  the 
one  trying  to 
expand  it. 


of  Security 

»  In  September  2003,  Bruce  Schneier 
was  evolving  from  cryptographer  to 
general  security  thinker.  An  emerging  gen¬ 
eration  of  Internet  criminals  and  the  new 
realities  of  a  post-9/11  world  were  fueling 
his  ideas  beyond  information  security  to 

the  broader  realm,  where  technology  and  the  physical  world 
interacted.  He  was  beginning  to  see  security  as  a  social  sci¬ 
ence.  “Real  security  means  making  hard  choices,”  Schneier 
told  CSO  at  the  time. 

Nearly  five  years  later,  we  wanted  to  find  out  how  Schnei- 
er’s  views  on  security  have  evolved  since  then.  Of  course 
his  views  have  changed— Schneier  is  not  one  to  let  his  ideas 
settle  into  complacency.  For  Schneier,  who  is  chief  security 
technology  officer  of  BT,  security  keeps  getting  broader, 
more  general,  more  related  to  every  aspect  of  our  lives.  Secu¬ 
rity,  which  started  for  him  as  fixed  equations  used  for  hiding 
digital  data,  has  become  nothing  less  than  the  fundamental 
catalyst  for  all  human  behavior.  “I  have  come  to  believe  that 
security  is  fundamentally  about  people,”  he  says. 

With  this  endless  broadening  of  security  has  come  an 
endless  broadening  of  ambition.  Schneier  is  launching  the 
Workshop  on  Security  and  Human  Behavior— an  effort  to 


24  www.csoonline.com  July/August  2008 


Photography  by  AP/Wide  World  Photos 


bring  together  the  brightest  thinkers  from 
any  number  of  disciplines:  Economists, 
technologists  and  psychologists— even 
poets  will  be  there.  The  goal  is  no  less  than 
to  launch  a  new  academic  discipline. 

CSO  contributor  Scott  Berinato  spoke 
with  Schneier  about  this  effort,  his  impres¬ 
sions  of  how  security’s  changed  over  the 
past  five  years,  and  the  highly  sophisti¬ 
cated  risk  management  practiced  by  lima 
beans. 

CSO:  Five  years  ago,  we  published 
"The  Evolution  of  a  Cryptographer" 
about  how  your  views  on  security  had 
changed.  Let’s  start  there  again.  How 
have  your  views  changed  since  then? 
Schneier:  My  career  seems  to  be  an 
endless  series  of  generalizations.  First 
cryptography,  then  computer  and  network 
security,  then  general  security— airlines, 

ID  cards,  terrorism  and  so  on— more 
recently  security  economics,  and  now  the 
psychology  of  security. 

This  evolution  reflects  my  continuing 
search  for  broader  contexts  by  which  to 
understand  security.  I  started  out  in  the 
details  of  the  technology,  but  have  come 
to  believe  that  security  is  primarily  about 
people— and  that  understanding  the 
people  is  more  important  than  under¬ 
standing  the  technology.  Because  if  we  get 
the  economic  or  psychological  motivations 
wrong,  it  doesn’t  matter  how  good  our 
technology  is;  it’s  not  going  to  be  used. 


In  other  words,  the  fact  that  some¬ 
thing  should  be  secured  has  little  to  do 
with  whether  it  will  be  secured? 

There  are  lots  of  examples  of  technically 
sound  security  ideas  that  never  got  fielded 
because  the  economic  model  was  wrong. 
There  was  never  any  customer  for  digital 
cash  because  no  one  who  was  in  a  position 
to  pay  for  the  system  cared  about  customer 
privacy.  Instead,  we  ended  up  with  PayPal, 
which  isn’t  anonymous  but  is  easy  to  use 
and  has  a  recognized  income  model.  Solu¬ 
tions  that  defend  against  malware  in  the 
backbone  don’t  work  because  the  pain  is 
felt  at  the  endpoints.  Cell  phone  compa¬ 
nies  spend  millions  to  prevent  toll  fraud, 
but  nothing  on  voice  privacy.  I  could  go  on 
and  on.  It’s  not  surprising,  really.  Security 
is  fundamentally  about  people,  and  every¬ 
thing  we  know  about  people  is  relevant  to 

July/August  2008  www.csoonline.com  25 


Q&A:  RISK  MANAGEMENT 


security.  What’s  more  surprising  to  me  is 
how  so  many  of  us  security  technologists 
have  ignored  the  social  sciences  for  so  long. 

You’re  on  the  precipice  of  formalizing 
some  of  these  ideas  into  a  new  aca¬ 
demic  discipline.  What  do  you  hope  to 
accomplish? 

It’s  a  combination  of  disciplines:  experi¬ 
mental  psychology,  behavioral  economics, 
evolutionary  biology,  cognitive  science, 
neuroscience  and  game  theory,  with  bits 
of  philosophy,  sociology  and  anthropology. 
All  of  these  disciplines  are  coming  together 
to  explain  how  we  think,  and  they  have  a 
lot  to  say  about  how  we  process  fear,  risk, 
security,  costs  and  trade-offs.  Researchers 
from  these  disciplines  have  a  lot  to  teach  us 
in  computer  security,  and  we  have  a  lot  to 
teach  them.  It  is  my  hope  that  by  bring¬ 
ing  all  these  people  together— which  I’m 
trying  to  do  at  the  Workshop  on  Security 
and  Human  Behavior— these  different 
disciplines  can  start  talking  to  each  other, 
and  eventually  start  collaborating. 

What  would  you  name  this  collabora¬ 
tive  discipline?  Anthro-security? 

I  like  “Security  and  Human  Behavior” 
because  it  captures  the  evolution  of  the 
discipline.  The  convergence  of  security 
research  with  ideas  from  economics, 
which  began  in  the  late  1990s,  begat  the 
economics  of  information  security,  and  the 
first  WEIS  (Workshop  on  the  Economics 
of  Information  Security)  conference  in 
2001.  This  led  to  a  convergence  of  psychol¬ 
ogy,  usability,  economics,  and  security  and 
privacy.  Now  we’re  seeing  a  convergence 
of  behavioral  economics  and  the  psychol¬ 
ogy  of  information  security,  with  all  those 
other  disciplines  thrown  in. 

Even  poets  and  writers  have  something 
to  say  here.  Certainly  horror  writers  like 
Stephen  King  and  Dean  Koontz  under¬ 
stand  humans  and  fear. 

The  use  of  MRI  images  of  the  brain  is 
becoming  a  pop  phenomenon.  Because 
we  can  see  parts  of  the  brain  “light 
up”  in  these  studies,  we  make  simple 
causal  connections  between  how  the 
brain  works  and  how  we  behave.  It 
seems  like  people  are  using  brain 
scans  to  explain  away  many  behaviors, 
even  if  the  underlying  science  is  far 


more  complicated  than  the  popular 
stories  about  this  technology  make  it 
seem. 

Recently  there  have  been  enormous  scien¬ 
tific  advances  in  understanding  the  human 
brain,  but  neuroscience  is  still  in  its 
infancy;  scientists  are  still  groping  around 
looking  for  coherent  theories.  And  cer¬ 
tainly,  whenever  someone  says  something 
like  “The  seat  of  this  piece  of  cognition  is 
in  this  part  of  the  brain,”  they’re  making  a 
gross  oversimplification. 

Making  security  trade-offs  is  funda¬ 
mental  to  being  alive.  After  figuring  out 
how  to  eat  and  reproduce,  the  next  most 
important  thing  for  a  species  to  figure 
out  is  how  to  avoid  predators.  So  with 
security  such  a  fundamental  driver  of 
brain  development,  it’s  not  surprising  that 
very  primitive  parts  of  our  brain  control 
some  of  our  basic  security  reflexes.  The 
amygdala,  for  example,  is  an  ancient  part 
of  the  human  brain  that  first  evolved  in 
primitive  fishes.  It’s  what  controls  the 
fight-or-flight  response:  increased  heart 
rate,  increased  muscle  tension,  sweaty 
palms  and  so  on.  That  part  of  the  brain 
is  so  fast  that  when  you  see  a  snake,  your 
amygdala  starts  working  even  before  your 
conscious  brain  knows  what  you’re  look¬ 
ing  at.  You  can  override  your  amygdala. 
That’s  part  of  what  makes  you  uniquely 
human,  and  it  happens  whenever  you  take 
a  dressing-down  from  your  boss  and  just 
listen  instead  of  either  running  away  or 
stabbing  him  with  a  spear.  But  it’s  hard. 

The  Department  of  Homeland 
Security  recently  celebrated  its  fifth 
anniversary.  Most  people  associate 
DHS  with  orange  alerts,  airport  secu¬ 
rity  lines  and  Hurricane  Katrina.  How 
would  you  evaluate  DHS  over  its  first 
five  years? 

The  DHS  was  formed  by  throwing 
together  a  bunch  of  different  organizations 
under  new  management,  and  it  has  spent 
most  of  its  effort  trying  to  coordinate  all 
these  organizations.  Herding  cats  is  easy 
compared  to  what  the  DHS  is  trying  to  do; 
you  can  tell  by  the  very  public  failures  we 
all  talk  about.  I  always  thought  creating  a 
large  new  bureaucracy  wasn’t  the  way  to 
help.  And,  unfortunately,  the  politiciza¬ 
tion  of  the  DHS  over  the  past  five  years  has 
contributed  to  the  problem.  The  DHS  in  its 


current  form  should  be  disbanded. 

Two  security  truisms  are  relevant  here. 
One,  security  decisions  need  to  be  made 
as  close  to  the  problem  as  possible  both  in 
terms  of  time  and  space.  There  is  a  lot  of 
room  for  abuse,  so  oversight  is  vital,  but 
it’s  also  more  flexible  and  adaptive.  And 
two,  security  analysis  needs  to  happen  as 
far  away  from  the  sources  as  possible.  The 
whole  picture  is  larger  than  any  single 
agency,  and  each  one  only  has  access  to  a 
small  slice  of  it.  What  this  means  is  that  we 


would  do  better  as  a  nation  if  our  counter¬ 
terrorism  response  were  coordinated 
centrally  but  implemented  in  a  distributed 
fashion.  Back  in  2002, 1  wrote  that  “the 
new  Department  of  Homeland  Security 
needs  to  coordinate  but  not  subsume.”  I 
still  agree  with  that. 

This  is  an  elegant  model  for  security; 
Act  locally;  think  globally.  It’s  what 
FEMA  was  celebrated  for  before  it 
became  part  of  DHS.  It’s  so  simple. 
Why  don’t  we  do  this  more? 

The  U.S.  Marine  Corps,  actually,  has  a 
doctrine  that  decisions  are  made  close  to 
the  action,  by  people  on  the  ground  who 
know  the  situation  best. 

Two  things  prevent  people  from  taking 


26  www.csoonline.com  July/August  2008 


“My  worry  about 

walls  between 
nations  is  that  they 
decrease  interaction 
and,  by  extension, 
understanding  and 
trust,  which  is  a  surer 
path  toward  long¬ 
term  security.” 

-BRUCE  SCHNEIER 


this  approach:  control  and  fear.  Govern¬ 
ments  like  control  and  are  predisposed  to 
solutions  that  involve  more  centralized 
control.  And  people  dislike  fear.  When 
people  are  scared,  they’ll  do  anything  to 
make  that  feeling  go  away.  Combine  a  gov¬ 
ernment  that  wants  control  with  people 
who  will  do  whatever  the  government  says 
they  should,  and  you  have  the  current 
situation. 

Another  phenomenon  from  the  past 
five  years:  walls.  Often,  they’re  called 
fences  now,  but  they’ve  enjoyed 
renewed  popularity  in  the  security 
world.  Along  the  Mexican  border,  on 
the  West  Bank  and  elsewhere,  walls 
are  being  put  up  as  a  security  measure. 


What  do  you  make  of  this?  Ho  w  does 
this  relate  to  the  work  you’re  doing 
now? 

Walls  are  one  of  our  most  primitive  bound¬ 
aries,  and  we  have  an  almost  visceral 
reaction  to  them.  They  make  us  feel  safe. 
The  problem  is  that  the  security  of  walls  is 
less  about  the  walls  themselves  and  more 
about  the  doors  in  them.  Every  boundary, 
whether  real  or  virtual,  has  authorized 
ways  to  go  through  it.  It’s  the  checkpoints 
that  allow  people  to  go  between  coun¬ 
tries,  the  VPNs  that  allow  people  to  enter 
the  corporate  network,  or  the  doors  and 
windows  that  allow  us  access  into  our  own 
homes.  My  worry  about  walls  between 
nations  is  that  they  decrease  interaction 
and,  by  extension,  understanding  and 
trust,  which  is  a  surer  path  toward  long¬ 
term  security.  Sure,  walls  can  provide 
security  in  the  short  term,  but  they’re  not  a 
solution  for  the  long  term. 

As  you  look  at  information  security 
today,  what  do  you  see  compared  to 
five  years  ago? 

Nothing  has  surprised  me  about  how 
criminals  have  evolved  on  the  Internet. 
Those  who  were  paying  attention  knew 
that  criminals  would  find  the  Internet 
as  soon  as  there  was  substantial  money 
there,  and  that  criminal  activity  would  get 
increasingly  sophisticated  and  organized. 
What’s  more  surprising  is,  well,  that  so 
many  people  were  surprised  by  this.  We’re 
still  fielding  security  products  to  defend 
against  the  hacker  threat  instead  of  the 
criminal  threat.  We’re  still  more  focused 
on  the  specifics  of  tactics— again,  to  defend 
against  a  hacker  mind-set— than  the  gen¬ 
eralities  of  threats  that  better  characterize 
criminals.  Criminals  are  not  hackers.  They 
are  more  tolerant  of  risk.  They  have  better 
funding.  They  are  more  interested  in  the 
goal  than  the  method  of  reaching  that  goal. 
They  are  older  than  hackers,  and  more 
experienced.  And  they’re  international. 

How  could  this  gap  between  the 
problem  and  how  we  understand  and 
address  it  still  exist,  five  years  on,  with 
so  much  damage  to  computers  and 
people  in  our  wake? 

There  are  several  reasons  for  this  gap. 

One  is  systemic;  the  bad  guys  are  always 
going  to  be  at  least  one  step  ahead  of  the 


good  guys— they’re  more  nimble,  have 
less  bureaucracy,  are  quicker  to  adapt  to 
new  technologies— and  in  a  fast- changing 
technological  world  this  gap  is  only  going 
to  get  worse.  The  second  is  tactical;  we 
are  focused  more  on  technology  than  on 
the  broader  picture.  Security  companies 
sell  technological  point  solutions.  News 
stories  are  about  tactics,  which  reinforces 
this  view.  And  we’re  all  enamored  with 
technology;  otherwise,  we  would  be  doing 
something  else  for  a  living,  and  we  often 
ignore  the  forest  for  whatever  neat  techie 
trees  we’re  currently  working  with. 

You  always  seem  to  find  inspiration  for 
security  wisdom  in  unusual  places. 

I  find  the  most  surprising  security  wisdom 
in  the  insect  world.  Evolutionarily,  they’ve 
tried  just  about  everything.  Attack  - and - 
defense  techniques  that  worked  were 
repeated,  and  those  that  failed  weren’t. 
Because  evolution  tries  solutions  at 
random  and  stops  at  the  first  workable 
solution  found,  insects  tended  to  arrive  at 
interesting  and  surprising  solutions. 

By  and  large,  ants  differentiate  friends 
from  foes  by  their  sense  of  smell.  There  are 
some  beetles  that  have  evolved  to  defeat 
this  security  system  by  sneaking  into  the 
ant  colony  and  laying  low,  playing  dead 
if  attacked,  until  they  acquire  the  scent 
of  their  ant  neighbors.  After  that,  they’re 
tolerated  in  the  nest  by  the  ants  even  as 
they  feast  on  ant  larvae. 

Some  flowers  have  long  tubelike 
shapes  to  prevent  bees,  which  don’t  pol¬ 
linate  them  very  effectively,  from  stealing 
their  nectar.  They  prefer  long-tongued 
hummingbirds.  But  some  bees  have 
evolved  to  chew  a  hole  in  the  side  of  the 
flower  and  get  the  nectar  that  way. 

But  the  neatest  story  I’ve  found  is 
about  how  lima  bean  plants  defend  them¬ 
selves.  When  two-spotted  spider  mites 
attack  them,  the  plants  emit  a  chemical 
distress  signal.  The  distress  signal  helps 
in  three  distinct  ways.  One,  it  gets  other, 
nearby  lima  bean  plants  to  start  sending 
out  the  same  distress  signal,  even  if  they’re 
not  being  attacked  yet.  Two,  it  repels  other 
two-spotted  spider  mites.  And  three,  it 
attracts  carnivorous  mites  to  prey  on  the 
herbivorous  two-spotted  spider  mites.  Yes, 
the  plants  have  evolved  to  call  in  air  strikes 
against  their  attackers.  ■ 


July/August  2008  www.csoonline.com  27 


COVER  STORY 


JOE  HAS  A  SECRET.  He’s  founder  and 
principal  scientist  at  a  pharmaceutical  research 
company.  He’s  working  on  a  potential  multibil¬ 
lion -dollar  breakthrough  that  lots  of  competitors 
would  like  to  grab.  How  will  Joe  keep  his  work 
safe?  Fortunately,  he  has  a  bit  of  a  James  Bond 
streak  (and  a  good  bit  of  coin  to  indidge  it).  Here 
are  some  of  the  defensive  measures  at  Joe’s  Office. 


2  Fence  and 


Flora  Page  30 


3  Parking  and 


Bollards  Page  30 


4  Briefcase  Page  31 


At  the  property  entrance,  there  are  two  lanes— 


5  Lobby:  Surveillance 
System,  Prox  Card, 
Visitor  Management 
System  Page  32 


one  going  in  and  one  going  out— with  the  gatehouse  between 
them.  Fixed  cameras  capture  the  make  and  license  plate  of 
each  vehicle  as  well  as  the  driver’s  face.  All  this  is  mapped  to 
a  database.  The  guard  inside  the  station  can  see  if  Joe  is  driv¬ 


ing  the  car  make  and  model  listed  in  his  employee  record,  and 


6  Multifunction 


can  check  to  make  sure  it’s  the  right  license  plate.  It  can  be  set 
up  to  also  match  his  face  to  the  face  in  the  employee  directory. 


Printer  Page  32 


This  process  can  be  applied  to  delivery  trucks  as  well.  The 


7  Windows  Page  34 


guard  also  has  a  list  of  expected  visitors  provided  by  the 


visitor  management  system— more  on  that  when  Joe  gets  to 


8  Shredder  Page  34 


the  lobby.  Unexpected  visitors  and  deliveries  are  generally 
turned  away. 


9  Biometrics  Page  35 


And  what’s  to  stop  a  determined  intruder? 


As  he  passes  the  gatehouse,  Joe  drives  over  a  patterned 


10  Joe’s  Office:  Filing 
Cabinet,  Whiteboard, 
Laptop  Page  36 


area  in  the  road.  This  is  where  the  auto -blocking  technology 
is  located.  Joe  has  opted  for  a  safety  net,  almost  literally— a 
GRAB-sp,  for  Ground  Retractable  Automobile  Barrier  from 


Universal  Safety  Response.  This  netlike  device  is  far  enough 
past  the  gatehouse  that  if  someone  tried  to  force  his  way 
through,  the  guard  could  still  pull  it  up  in  time  to  stop  him. 
The  GRAB  system  would  more  or  less  fulfill  its  name,  stop¬ 
ping  vehicles  of  up  to  80,000  pounds  in  a  considerably  less 
destructive  manner  than  retractable  bollards  do.  (Although 
Joe  greatly  enjoyed  watching  numerous  vendors’  truck-ram- 
ming-bollards  videos  during  his  evaluation  phase.) 

These  are  not  cheap  systems;  it  might  cost  more  than 
$100,000  to  put  a  vehicle  restraining  system  in  one  lane.  But 
the  gatehouse  is  the  critical  access  point  in  the  office’s  perim¬ 
eter  defense.  -Michael  Fitzgerald 


Illustration  by  David  Puckett 


July/August  2008  www.csoonline.com  29 


COVER  STORY  I  JOE'S  OFFICE 


Fence  and  Flora 

oe’s  building  is  somewhat  distinctive  but  only  because 
it  has  more  setback  space  around  it  and  a  smaller 
parking  lot.  Having  passed  through  the  gatehouse 
checkpoint,  Joe  enjoys  the  short 
tree-lined  drive  to  the  building,  which 
is  about  three  hundred  yards  from  the 
street. 

The  many  trees  soften  the  property’s 
appearance  and  make  it  look  like  a  pleas¬ 
ant  place  to  work;  on  a  more  subtle  note, 
they  also  obstruct  the  view  of  the  building 
at  all  points  along  the  driveway.  And  the 
trees  directly  adjacent  to  the  building  are 
hardy  orange,  which  are  attractive  but  also  quite  thorny, 
to  provide  trespassers  with  a  very  unpleasant  climbing 
experience.  (Hawthorne  bushes  make  a  nice  alternative.) 

The  property  is  bordered  by  the  fence,  with  discreet  No 
Trespassing  signs  placed  periodically.  It  isn’t  a  chain-link 
fence,  either— it  is  an  8-foot,  high- security,  steel  fence,  with 
a  K  rating  (a  measure  of  how  much  kinetic  energy,  or  speed 
plus  weight,  it  can  resist)  that  indicates  it  can  stop  a  15,000- 
pound  truck  going  40  miles  per  hour.  This  fence  helps 
make  sure  there  is  only  one  easy  way  to  get  to  Joe’s  building, 
which  is  by  staying  on  the  road  around  it  until  you  get  to  the 
gatehouse. 

“You  can  have  beautiful,  decorative  fences  now  that  are, 
at  the  same  time,  durable  and  have  security  features  like 
anticlimbing  and  antiprying,”  says  Steve 
Hunt,  head  of  Hunt  Business  Intelli¬ 
gence  in  Evanston,  Ill.  Indeed— beauty 
and  beast  in  one  package,  at  a  rate  of 
about  $100  to  $400  per  foot,  depending 
on  the  options  selected. 

In  fact,  Joe  didn’t  use  all  the  security 
features  he  might  have.  Using  an  8-foot 
fence  (instead  of  a  6-footer)  means  it 
would  be  hard  for  someone  to  quickly 
leap  over  it,  but  it  is  certainly  not 


impassable.  He  also  selected  a  straight  picket,  not  curved  at 
the  top  or  tipped  with  triple  points— which  would  be  more 
difficult  to  surmount  but  also  would  have  cost  more  and 
would  have  made  it  more  obvious  to  the  outside  observer 
that  the  building  houses  something  valuable. 

There’s  more  than  meets  the  eye  to 
Joe’s  defensive  perimeter.  A  3-foot  deep, 
foot-and-half-wide  trench  has  been  dug  all 
the  way  around  the  boundary,  then  filled 
with  concrete.  Anyone  with  dreams  of 
digging  underneath  the  fence  would  be 
in  for  a  long  project.  The  main  posts,  a- 
bout  10  feet  apart,  are  set  in  four  feet  of 
concrete. 

And  if  the  potential  intruder  gave  up 
the  shovel  and  tried  climbing 
instead,  he  would  trip  the  Fiber- 
Patrol  fiber-optic-based  sensor 
network,  alerting  a  guard  to  the 
location  of  the  attempted  breach. 

It’s  not  quite  a  pinpoint  system, 
but  it  would  put  the  guard  within 
several  feet  of  the  right  spot  on 
the  fence. 

The  trees  inside  the  property 
are  set  far  enough  back  from  the  fence  to  make  it  unrealistic 
for  someone  to  try  to  rope  a  branch  and  climb  over,  and 
there  are  no  trees  outside  the  fence.  -M.F. 


Parkins  and 
Bollari 


aving  passed  the  gatehouse, 
Joe  comes  to  a  fork  in  the 
road  and  goes  left  to  end 
his  commute  in  the  park¬ 
ing  lot,  passing  over  a  second  GRAB 
system.  (Delivery  trucks  take  the  right 
fork;  any  truck  that  takes  the  left  fork 
despite  clear  instructions  at  the  gate¬ 
house  runs  the  risk  of  being  grabbed. 
An  aside:  This  approach  is  what  James 
M.  Atkinson,  president  and  senior 
engineer  at  Granite  Island  Group,  a 
security  consultancy  in  Gloucester, 
Mass.,  calls  “avocado”  security.  In  his 


world,  there’s  onion  security,  layers  of 
defenses  that  are  independent  of  each 
other,  and  avocado  security,  which  has 
closely  intertwined  levels.  Avocado 
is  better,  though  not  foolproof,  says 
Atkinson.  His  m  antra:  If  one  man  can 
build  it,  one  man  can  break  it,  and  he 
says  that  holds  true  for  every  aspect 
of  security.  “A  clever  new  toy  doesn’t 
make  you  more  secure,”  he  says.  “A 
high- security  lock  may  mean  it  takes 
15  minutes  to  pick  a  lock  instead  of  15 
seconds,  so  you  have  to  exploit  the  15 
minutes  to  do  something  to  get  in  their 
way.”) 

Here,  if  his  mind  isn’t  already  too 
engaged  in  the  day’s  research,  Joe  might 
recall  the  dispute  he  had  with  his  CSO 
during  the  headquarters  planning  and 


30  www.csoonline.com  July/August  2008 


The 

BRIEFCASE 
CAN  SOUND 
AN  ALARM 
AND  DELIVER 
A  30,000 -VOLT, 
REMOTE- 
CONTROLLED 
SHOCK  TO  ANY 
THIEF  WHO 
PICKS  UP  THE 
HANDLE 


Briefcase 


X 


X 


■  >■  *  .  >  ' 


selection  phase.  The  CSO  had  lobbied 
hard  for  an  underground  employee 
parking  lot  with  its  own  access  control 
system,  surveillance, 
attendants  and  so 
forth.  For  cost  reasons, 

Joe  settled  for  a  more 
conventional  office 
parking  arrange¬ 
ment,  with  a  well-lit 
lot  separated  from  the 
building  by  a  row  of 
bollards. 

Bollards  are  a  fine  technology,  and 
time-tested,  too.  Pop-up  bollards  have 
been  around  since  the  1100s,  says 
Atkinson.  “There  is  really  nothing  new 
in  security  under  the  sun.  Everything 
is  just  clever  new  packaging,”  he  says. 


i  f 


Atkinson  notes  that  bollards  have 
weak  points— he  has  tied  bomb-tipped 
broomsticks  to  a  pickup  truck,  blown 
up  a  bollard  and  then 
driven  his  truck  to  the 
target  area.  Another 
issue  they  could  have 
is  that  even  if  someone 
hits  the  bollard,  the 
force  of  the  explosion 
will  carry  past  the  bol¬ 
lard,  potentially  caus¬ 
ing  serious  damage 
if  the  bollards  are  set  too  close  to  the 
building.  Nevertheless,  they  provide  an 
additional  buffer  against  intentional  or 
accidental  damage  to  the  building. 

-M.F. 


oe’s  got  the  latest  version  of  his  secret  in  his  briefcase.  Need¬ 
less  to  say,  it’s  not  your  typical  leather  attache.  This  briefcase  is 
equipped  with  a  remote-controlled  shock  alarm  that  can  deliver 
a  30,000-volt  shock  to  anyone  who  puts  the  handle  in  his  grasp, 
along  with  a  loud  alarm.  (He  got  it  through  PiMall.com,  one  of  his 

favorite  leisure  reading  and  shopping  sites. 
He  hopes  he  never  has  to  use  the  shock 
function,  as  he  is  vaguely  concerned  about 
winding  up  in  court  or  prison.) 

The  remote-control  function  offers 
other  security  features.  The  case  can  be  set 
to  a  “loss-proof”  function  that  alerts  Joe 
with  an  alarm  signal  when  he  is  more  than 
five  meters  away  from  the  case. 

If  Joe  is  robbed  or  threatened,  and  he’s 
forced  to  give  up  the  briefcase,  its  robbery- proof  function  will  wait 
until  the  robber  is  as  far  as  100  meters  away  and  cannot  hurt  Joe 
before  it  delivers  the  high-voltage  electric  shock  and  sounds  the 
alarm.  Retail  price:  $595. 

On  days  when  his  cargo  is  not  top  secret  but  is  still  confidential, 
Joe  might  carry  his  Caseva  Security  Briefcase,  which  is  made  of  light¬ 
weight  aluminium  alloy.  Fitted  with  a 
10-pin  high-security  tumbler  lock  and  a 
pair  of  high-quality  cast-steel  combina¬ 
tion  locks,  the  briefcase  is  claimed  to  be 
“impenetrable  to  the  opportunist  thief.” 
Each  case  also  comes  with  a  l-meter- 
long  plastic-coated  multicore  security 
tether,  “allowing  the  briefcase  to  be 
secured  to  any  immovable  object  in  an 
unfamiliar  environment  such  as  a  hotel 
room,  vehicle  interior  or  office.” 

Or  he  might  carry  his  sleek  Zero 
Halliburton  attache.  It’s  made  of  high- 
strength  aluminum  with  a  console  lock 
that  conceals  a  triple-digit  combination 
and  a  single-button  release  mechanism. 
Extra- strength  hinges  withstand  more 
than  400  pounds  of  pressure.  The  Hal¬ 
liburton  set  Joe  back  about  $650. 

-Stacy  Collett 


July/August  2008  www.csoonline.com  31 


COVER  STORY  |  JOE’S  OFFICE 


Multifunction 

Printer 


Surveillance  System 

With  the  spring  of  a  new  workday  in  his  step,  Joe 
passes  through  the  front  doors  (with  some  prod¬ 
ding  from  the  marketing  department,  he  refrained 
from  installing  a  mantrap  at  the  main  entrance)  and 
greets  the  receptionist  in  the  lobby. 

His  arrival  is  captured  by  IP-based  surveillance  cameras.  Most 
surveillance  cameras  in  use  today  remain  analog— about  85  percent, 
estimates  Fredrik  Nilsson,  General  Manager, 
North  America,  of  Axis  Communications, 
which  sells  both  analog  and  digital  cameras. 
However,  Joe’s  office  was  already  wired  with 
Cat-5  cabling,  so  an 
IP  system  made  sense 


Once  he’s  passed  into  the  office  itself 

(using  his  prox  card;  see  next  page),  Joe 
will  need  to  make  copies  of  his  progress 
report  for  an  upcoming  meeting.  He’ll 
use  his  multifunction,  networked  printer  with 
image-overwrite  capabilities  and  secure  print 
features  that  won’t  print  out  the  document  until  he 
is  standing  at  the  printer. 

Today’s  multifunction  printers  are  becoming 
an  on-ramp  to  and  an  off-ramp  from  the  Internet. 
Now  MFPs  are  about  as  powerful  from  a  comput¬ 
ing  and  interface  standpoint  as  a  PC.  They  have 
the  ability  to  capture,  digitize,  route,  file  and  store 
information  that  can  be  printed  or  retrieved  and 


and,  of  course,  offers 
Joe’s  company  the 
possibility  of  using  full- 
featured  video  analytics 
should  Joe  desire  it  at  some  point  down  the 
road.  Analog  cameras  can  also  feed  into  IP 
networks  but  require  the  use  of  additional 
equipment:  encoders  and  decoders. 

The  building  features  a  variety  of  cameras, 
some  overt— to  deter  illicit  acts  as  much  as 
to  record  them— and  others  more  discreet. 

On  the  discreet  side,  a  camera  the  size  of  a 
Phillips-head  screw  can  go  for  less  than  $80. 
Cameras  dummied  up  to  look  like  utility 
boxes  start  at  about  $315.  Prices  for  more 
high-powered  pan-tilt-zoom  (PTZ)  cameras 
can  run  upwards  of  $2,000.  And  as  a  practi¬ 
cal  consideration,  unlike  a  low-voltage  still 
camera,  a  PTZ  camera  needs  more  power 
than  it  can  get  through  the  Cat-5  cable. 

Happily,  Joe  isn’t  running  a  casino;  he 
doesn’t  want  to  record  and  replay  fine  details 
to  try  to  detect  sleight  of  hand.  His  main 
interest  is  to  be  able  to  get  a  look  at  the  face  of 
anyone  who’s  in  the  wrong  part  of  the  build¬ 
ing  at  the  wrong  time.  So  his  cameras  capture 
images  of  decent  resolution  but  not  a  high 
frame  rate,  which  reduces  his  bandwidth  and 
storage  requirements. 

-M.F. 


Visitor  Management 
System 

The  receptionist’s  console  uses  a  standard  visitor  manage¬ 
ment  system,  generating  visitor  badges  and  automating 
the  process  of  notifying  Joe,  or  any  other  employee,  when 
a  guest  has  arrived.  High-end  systems  can  initiate  and 
automate  most  of  this  process  simply 
by  scanning  a  visitor’s  business  card, 
although  the  receptionist  should  also 
request  to  see  identification. 

Some  entry  systems  can  integrate 
with  time-and-attendance  software. 

At  Joe’s  building,  the  visitor  man¬ 
agement  system  also  generates  a  list 
for  the  gatehouse  guard  each  day  of 
expected  guests. 

Joe  finds  it  hard  to  remember  which  system  his  company  selected. 
Was  it  Lobby  Works,  Lobby  Track,  EasyLobby...?  Big  players  in  the 
market  include  GE  Security,  Honeywell,  Lenel  and  Tyco,  although 
there  are  options  from  smaller  vendors  as  well. 

All  employees  at  Joe’s  office  are  instructed— and  reminded,  and 
reminded  again— that  unbadged  or  unaccompanied  visitors  any¬ 
where  in  the  facility  are  to  be  politely  but  firmly  confronted  with  the 
specific  question  “Who  are  you  here  to  see?”  and  escorted  back  out 
to  the  entrance.  The  question  “Can  I  help  you?”  is  discouraged,  as  it 
offers  an  intruder  an  easy  dodge  (“No  thanks!”). 

-Derek  Slater 


32  www.csoonline.com  July/August  2008 


reviewed  from  the  other  end.  Manufacturers  Canon,  HP  and 
Xerox  (to  name  just  a  few)  offer  multifunction  printers  with 
features  to  address  the  attendant  security  concerns. 

The  days  of  the  monstrous  centralized  printer  in  the  glass- 
enclosed  room  are  all  but  gone.  Workers  want 
proximity  and  speed  with  their  printing  devices. 

The  computing  power  of  MFPs  also  raises  security 
concerns.  “Paper  is  probably  one  of  the  least- 
secure  things  in  the  office  today.  It’s  out  in  the  open 
and  not  under  password  protection.  Unsecure 
printers  and  MFPs  can  contribute  to  [security 
breaches],  too,”  says  Robin  Wessel,  director  of 
product  marketing  for  desktop  for  Xerox’s  Office 
Group.  Scanned  documents  or  faxed  data  can 
remain  in  the  system’s  stored  memory.  Networked  MFPs  or  those 
connected  to  the  Internet  run  some  risk  of  hacker  attacks. 

Image-overwrite  capabilities  electronically  shred  informa¬ 
tion  stored  on  the  hard  disk  of  devices  as  part  of  routine  job 
processing.  Xerox  uses  Department  of  Defense-level  algorithms 
to  completely  erase  scanned  images  from  the  device’s  memory. 

It  also  offers  a  Secure  Print  feature  that  assigns  a  PIN  to  print 


projects,  so  sensitive  documents  won’t  sit  at  the  printer  loca¬ 
tion  and  lie  vulnerable  to  prying  eyes.  Instead,  the  job  waits  in  a 
queue  until  the  employee  reaches  the  printer  location  and  enters 
the  PIN.  Xerox  also  offers  encryption  as  a  standard  feature  on  its 
larger  MFPs  to  protect  data  while  it’s  being  used.  A 
baseline  product  with  those  built-in  features,  such 
as  Xerox’s  Phaser  3635MFP,  starts  at  $2,199. 

Xerox  has  achieved  Common  Criteria  Certifica¬ 
tion  for  a  number  of  its  multifunction  devices. 
Common  Criteria  is  an  internationally  recognized 
standard  for  product  security  claims. 

HP’s  Indigo  printer  (usually  reserved  for 
professional  printing  businesses)  uses  Electroink 
liquid  ink  technology  that  can  accept  and  print 
variable  data,  which  can  be  serial  numbers,  names  and  other 
personalized  identifiers.  It  can  also  print  in  invisible  ink  that 
can  be  read  only  under  an  ultraviolet  lamp.  In  addition,  Indigo 
can  create  secret  alphanumeric  codes  to  scramble  your  printout. 
The  letters  or  digits  are  converted  systematically  into  a  sequence 
that  can  be  checked  by  using  a  specific  key  or  by  referring  to  the 
printer’s  code  system. 


Prox  Card 

Joe  waves  his  proximity  access  card  over 
the  reader  to  unlock  the  door  to  leave 
the  lobby  and  enter  the  heart  of  the 
office. 

UK-based  IMS  Research  says  the  access 
control  integration  market  has  four  big  (as  in 
huge)  players:  General  Electric, 

Honeywell,  Tyco  and  United 
Technologies.  Niall  Jenkins,  an 
analyst  at  IMS,  says  all  four 
are  effective  integrators  of  the 
different  systems  needed  to 
handle  the  physical  and  logical 
security  management,  as  well 
as  the  closed-circuit  television, 
surveillance  cameras,  and  the 
intrusion  and  building  management  systems. 
“There’s  nobody  that’s  streets  ahead  of  any¬ 
body  else,”  Jenkins  said. 

However,  these  power  players  are  facing 
competition  from  newer  firms,  companies 
like  Quintron.  The  software-as-a  service 
phenomenon  has  also  come  to  access  control, 
thanks  to  Brivo,  which  offers  access  control 


via  the  browser  and  claims  to  save  the  typi¬ 
cal  company  about  70  percent  up  front,  at  a 
$3,300  installation  price  point,  versus  around 
$10,000  for  a  server  and  related  systems. 
Because  the  maintenance  is  done  offsite, 

Brivo  argues  that  total  cost  of  ownership  is 
lower.  Steve  Hunt  says  these  options  are  all 
worth  a  look. 

But  for  Joe,  with  his  new 
building,  he’s  opted  for  the 
CoreStreet  Card-Connected 
system,  which  combines 
physical  access  and  IT  systems, 
and  uses  the  employees’  smart 
cards  themselves  as  a  way  to 
continually  update  access 
information.  That’s  intended 
to  make  sure  that  the  physical 
infrastructure  doesn’t  lag  the  IT  infrastruc¬ 
ture,  if,  for  instance,  someone  is  let  go.  If  an 
employee  is  deprovisioned  from  network 
access,  that  person’s  swipe  card  will  stop 
working  more  or  less  immediately.  (Honey¬ 
well  is  pushing  hard  in  this  direction  as  well, 
via  a  partnership  with  Imprivata  and  Novell.) 

-M.F. 


The  technology 
also  allows  “micro 
text,”  printing  so  small 
that  it  is  nearly  unseen 
by  the  untrained 
eye.  Watermarks 
can  also  be  added  to 
printed  documents  to 
ensure  authenticity. 
Some  vendors  offer 
companies  a  remov¬ 
able  hard  drive  that 
allows  administrators 
to  physically  remove 
the  hard  drive  each 
night  and  lock  it  away. 
(See  the  filing  cabinet 
in  Joe’s  office.) 

Joe  might  spend 
$300,000  to  $1  million 
for  his  next  printer 
upgrade,  depend¬ 
ing  on  the  model  he 
selects.  -S.C. 


July/August  2008  www.csoonline.com  33 


COVER  STORY  I  JOE’S  OFFICE 


Joe’s  shredder 

CUTS  A  SINGLE 
SHEET  OF  LETTER- 
SIZE  PAPER 
INTO  10,000 
MICROPARTICLES, 
TOO  SMALL  TO 
BE  READ  BY 
AN  ELECTRON 
MICROSCOPE 


Shredder 


Wi 


Windows 


The  exterior  windows  of  Joe’s  office  and  laboratory  protect 
him  from  bullets,  explosive  blasts  and  forced-entry  threats. 
They  are  made  of  2-inch-thick  laminated  ballistic  glass 
tinted  to  a  blue-green  hue  for  protection  from  the  sun  and 
from  prying  eyes.  This  highest  level  of  protective  glass  allows  60% 
sunlight  exposure  and  weighs  28  pounds  per 
square  foot. 

Inside,  the  glass  surrounding  the  confer¬ 
ence  room  is  covered  with  a  protective  film 
that  can  withstand  an  attack  from  weapons 
such  as  a  baseball  bat,  a  chair  or  other  heavy 
objects.  While  a  would-be  intruder  might 
muster  enough  force  to  shatter  the  window,  it 
will  require  repeated  blows  to  break  through 
the  film.  Companies  like  ShatterGard,  ACE/ 
Security  Laminates  and  Glass  Security  offer  security  film  products. 
Others,  including  Pacific  BulletProof  and  Pinnacle  Armor,  provide 
bulletproof  doors  and  glass.  -S.C. 


hen  Joe  is  done  with  his  printed  documents,  he 
shreds  them  using  a  high- security  shredder 
that  meets  the  federal  security  requirement 
demanded  of  the  Department  of  Defense, 
NATO  and  other  government  and  military  for  disposing  of 
top-secret  documents.  All  DoD-approved  shredders  must  meet 
exacting  standards  for  crosscutting  the  documents  until  they 
are  unrecognizable  and  can’t  be  glued  back  together. 

(Lest  you  think  no  one  would  do  this, 
remember  there  are  billions  of  dollars  on 
the  line,  and  that  “Dumpster  diving”  is  a 
common  enough  activity  to  have  a  catchy 
name.  Also,  students  seeking  a  Master  of 
Science  in  conservation  at  some  universi¬ 
ties  are  required  to  shatter  a  lightbulb 
and  then  glue  it  back  together.  There  are 
plenty  of  examples  of  extreme  efforts  to 
reassemble  any  object  of  value.) 

Joe’s  Level  5  High  Security  crosscut  paper  shredder  is 
built  with  1,700  components  that  shred  a 
single  sheet  of  letter-size  paper  into  10,000 
microparticles  that  are  so  small  they  are 
unreadable  even  through  an  electronic  micro¬ 
scope.  The  GSA-approved  high-security 
shredder  costs  about  $1,200.  Secure  onsite 
or  offsite  shredding  is  also  available  as  a 
service  from  national  providers  such  as  Iron 
Mountain  as  well  as  from  numerous  regional 
companies.  For  Joe’s  purposes,  offsite  shred¬ 
ding  would  have  necessitated  sending  a 
trusted  employee  along  with  the  documents 
to  observe  and  document  their  destruction; 
shredding  onsite  seemed  more  practical. 

When  it’s  time  for  a  new  PC  or  laptop,  Joe 
can  destroy  the  old  hard  drive,  as  well  as  used 
CDs,  DVDs  and  other  media,  in  the  office’s 
central  multimedia  disintegrator.  He  feeds 
his  high-tech  trash  into  a  large,  16-by- 19-inch 
feed  opening,  and  then  the  DoD-approved, 
high-security  shredder  pulverizes  the  devices 
with  an  8-blade  cutting  system— leaving  a 
single  bag  of  microscopic  debris.  The  super¬ 
shredder  set  the  company  back  about  $21,000, 
and  Joe’s  policies  are  quite  strict  and  detailed 
regarding  destruction  of  sensitive  informa¬ 
tion  in  any  form.  -S.C. 


34  www.csoonline.com  July/August  2008 


Biometric 

Access 

Control 

he  regular  prox-card  system 
does  not  provide  access  to 
the  inner  sanctum,  Joe’s 
actual  office  suite:  He  must 
enter  through  a  door  equipped  with  a 
lock  and  handle  that  use  scan  thermal 
imaging  technology.  The  handle 
measures  the  temperature  differences 
between  the  peaks  and  valleys  of  his 
fingerprints  and  creates  recognition 
points. 

Unlike  typical  optical  reader  locks, 
“we’re  not  storing  actual  fingerprints, 
and  we’re  not  leaving  a  fingerprint 
when  you  access  the  lock,”  says  Gary 
Kut,  director  of  sales  at  Tychi  Systems, 
a  Salem,  N.H.,  company  that  makes 
biometric  locks  using  the  technology. 

Scan  thermal  imaging,  a  relative 
newcomer  to  the  security  lock  arena, 
is  more  commonly  used  in  engineer¬ 
ing  to  check  the  density  of  materials 
such  as  a  bridge  girder  or  a  small  part 
for  the  Space  Shuttle,  to  make  sure 
materials  are  being  made  to  perfor¬ 
mance  specifications,  Kut  says.  It  has 
also  been  used  by  emergency  rescue 
teams  to  locate  avalanche  victims. 

Prices  Drop 

The  demand  for  biometric  locks 
continues  to  grow  as  prices  come 
down  and  companies  find  new  uses 
for  keyless  access,  but  security  is  the 
number-one  concern.  Almost  half  of 
all  company  data  breaches  are  not  the 
result  of  a  hacker  but  of  a  lost  or  stolen 
laptop,  memory  device,  PDA,  memory 
stick,  CD  or  DVD,  according  to  a  sur¬ 
vey  by  Vontu,  a  security  software  firm 
now  part  of  Symantec.  More  than  60 
percent  of  those  incidents  are  caused 
by  an  “insider  threat”— an  employee. 

“Even  an  executive  working  on 
confidential  information  is  not  apt  to 


pick  up  keys  and  lock  the  door  to  go 
down  the  hall”  for  a  few  minutes,  Kut 
says.  “It  takes  seconds  for  someone  to 
go  in  the  door,  grab  a  PDA  and  walk 
out  with  it.”  Even  if  the  intruder  has  a 
registered  fingerprint,  the  locks  keep 
an  access  log  of  the  last  2,000  entrants. 
The  log  registers  the  entrant’s  name 
and  the  date  and  time  he  entered  and 
left  the  room. 

The  price  of  a  BioKnob  bio-lock 
system  ranges  from  $599  to  $699  at 
Tychi  Systems,  depending  on  the 
style  of  the  door  handle,  but  the 
technology  is  the  same.  All  hardware 
and  software  is  included  in  the  lock. 
No  special  installation  is  required, 
according  to  the  company. 

Other  Approaches 

While  fingerprint  technologies  are 
more  widely  adopted,  retinal  scan¬ 
ning  is  growing  in  popularity,  and 
facial  recognition  technologies  have 
advanced  from  traditional  2-D,  to  3-D 
scanning. 

Bioscrypt,  a  divi¬ 
sion  of  L-i  Identity 
Solutions  in  Stamford, 

Conn.,  offers  3-D  face 
recognition  technology 
that  makes  it  possible 
to  collect  more  data 
points  than  the  previ¬ 
ous  2-D  technology.  For 
instance,  while  2-D  face 
recognition  relies  on  such  data  as  the 
distance  between  the  eyes,  3-D  scan¬ 
ning  relies  on  structural  information, 
such  as  the  skull  curvature,  which 
doesn’t  change  over  time  or  as  a 
result  of  facial  swelling  caused  by  an 
accident  or  weight  loss  or  gain,  unless 
it’s  extreme.  Expect  to  pay  as  much 
as  $45,000  for  a  sophisticated  3-D 
face  reader  for  access  control,  while 
face  recognition  readers  for  network 
access  can  cost  as  little  as  $20  to  $30 
per  user. 

Other  lesser-known  technologies 
are  breaking  into  the  market  as  well. 


Palm  vein  authentication  devices  read 
the  very  complicated,  hard-to-repro- 
duce  vein  patterns  found  deep  within 
the  hand.  Fingerprints,  in  contrast, 
are  based  on  making  contact,  and  can 
be  “lifted”  from  a  glass  surface  and 
duplicated  using  commonly  found 
ingredients. 

A  key  advantage  of  palm  vein 
authentication,  product  vendors  say, 
is  that  it  uses  “no  touch”  technology, 
enabling  it  to  be  used  when  hands 
are  dirty  or  wet,  or  even  if  the  skin 
surface  is  scratched.  Since  the  hand 
never  touches  the  sensor’s  surface 
while  being  scanned,  it  is  ideal  for 
germ-sensitive  environments,  such 
as  a  laboratory.  Palm  vein  authenti¬ 
cation  devices  also  record  the  name, 
date  and  time  of  each  entrant’s  arrival 
and  departure. 

Israel-based  BioGuard  Compo¬ 
nents  &  Technologies  launched  its 
Palmguard  biometric  authentica¬ 
tion  system  in  April.  The  desktop 
device  is  a  combination  of  Fujitsu’s 

PalmSecure  biometric 
palm  vein  authenti¬ 
cation  sensor  and  a 
smart-card  reader  or 
writer  device.  When  a 
user  positions  a  hand 
3  cm  to  6  cm  above 
the  sensor’s  surface, 
the  sensor  emits  a 
near- infrared  beam 
to  the  palm,  according  to  BioGuard’s 
website.  The  light  beam  passes  the 
skin  layers  and  reaches  the  veins.  The 
reduced  oxygen  in  the  blood  flowing 
back  to  the  heart  absorbs  the  near- 
infrared  light.  This  absorption  will  be 
recorded  by  the  sensor’s  camera  as  a 
raw  image,  which  is  then  encrypted. 
The  encrypted  data  is  transferred  to 
the  sensor’s  template  library  software, 
which  converts  and  compresses  the 
encrypted,  raw  image  to  a  template 
with  a  size  of  approximately  lKB. 

Then  the  final  template  is  encrypted 
again.  -S.C. 


July/August  2008  www.csoonline.com  35 


COVER  STORY  |  JOE’S  OFFICE 


Laptop 


Obviously,  Joe’s  laptop  com¬ 
puter  is  equipped  with  the 
most  up-to-date  antivirus, 
firewall  and  encryption 
solutions,  but  it  also  has  more  advanced 
security  gizmos. 

His  laptop  carries  an  embedded 
fingerprint  swipe  reader  that  prevents 
others  from  masquerading  as  Joe. 

When  he  powers  on  his  laptop,  a  touch 
of  his  finger  to  the  mouse  grants  Joe 
access  to  specific  applications,  files, 
databases  and  even  individual  func¬ 
tions.  Fingerprint  identification  is  also 
available  for  his  keyboard  and  even  his 
PCMCIA  cards. 

Fingerprints  are  able  to  reliably  pro¬ 
vide  “proof  of  presence”  that  ensures 
that  the  laptop  can  be  accessed  only  by 


the  actual  people  to  whom  permission 
is  specifically  granted. 

Redwood  City,  Calif. -based  DigitalP- 
ersona  offers  a  fingerprint  authentica¬ 
tion  solution  that  allows  users  to  log  on 
to  Microsoft  Windows  Vista  and  XP 
Professional  computers  and  networks 
with  the  touch  of  a  finger.  When  added 
security  is  required,  multicredential 
authentication  can  be  enforced. 

Many  vendors  offer  fingerprint 
authentication  solutions  for  less  than 
$100  per  user,  according  to  Jeffrey 
Bernstein,  senior  director,  information 
assurance,  at  security  consulting  firm 
Asero  Worldwide  in  Washington,  D.C. 

Scan  thermal  imaging 
and  even  3-D  face  readers 
are  also  available  to  control 
laptop,  desktop  and  network 
access  from  companies  like 


AuthenTec,  based  in  Melbourne,  Fla., 
and  L-i  Identity  Solutions  in  Stamford, 
Conn.,  to  name  a  few. 

Preventing  Peripheral 
Damage 

Joe  is  also  aware  that  danger  lurks  in 
the  peripherals  that  he,  or  others,  might 
connect  to  this  laptop— an  MP3  player, 
memory  stick,  optical  device  or  even  the 
network  printer.  So  he  uses  an  endpoint 
access  manager  that  controls,  monitors 
and  logs  how  his  data  is  downloaded 
and  uploaded  to  those  endpoints. 

He  can  block  all  actions  from  those 
peripherals,  permit  specific  actions  or 


Whiteboard 

Joe’s  a  visual  guy  and  often  uses  his  interactive  whiteboard 
to  brainstorm  or  just  to  jot  down  some  notes.  This  white¬ 
board  allows  him  to  write  with  a  dry  erase  marker,  and 
then  he  can  print  out  a  copy  of  the  board’s  contents  on  the 
attached  inkjet  printer.  The  board  scans  its  surface  and  creates 
a  one-time  printout,  with  no  saved  file.  He  can  always  use  the 
board’s  USB  port  to  save  the  file  onto  a  flash  drive  or  directly  to 
his  laptop,  but  printing  to  his  secure  printer  ensures  that  there 
will  never  be  another  copy  of  his  confidential  notes. 

Of  course,  he  automatically  erases  the  contents  of  his 

whiteboard  at  the  end  of  every  session.  Joe 
dropped  about  $1,800  on  this  model. 

Other  interactive  whiteboards  in  his 
office  link  directly  to  his  secure  desktop 
PC,  and  screenshots  are  saved  as  a  PDF 
file  in  a  folder  on  his  computer.  He  can 
hide  his  notes  simply  by  turning  off  the 
projector,  and  when  he’s  done,  by  hit¬ 
ting  the  “erase  all”  button  on  the  boards’ 
remote-control  device  to  keep  his  notes 
from  prying  eyes.  The  price  tag  on  those  models  can  reach 
$10,000. 

Need  we  state  the  obvious:  Joe’s  whiteboard  has  shutters 
and  a  lock.  -S.C. 


Filing 

Cabinet 


Joe  has  some  paper  records  and 
printouts  that  he  doesn’t  have  the 
time  or  desire  to  digitize.  So  his 
office  sports  a  filing  cabinet— but 
it  will  be  no  surprise  that  his  filing 
cabinet  is  essentially  a  safe.  It’s  Under¬ 
writers  Laboratories-rated  TL-30  for 
theft  resistance, 
meaning  it  should 
take  a  burglar 
with  a  good  set  of 
drills  and  tools  30 
minutes  to  break 
in  (recalling  the 
consultant  Atkin¬ 
son’s  point  about 
security  using  that 
window  of  time  to  discover  the  intruder 
and  do  something  about  it).  And  it’s  got 
a  UL  fire-resistance  rating  of  “Class  350 
one-hour  fire  and  impact,”  which  means 
the  safe  can  withstand  being  heated  to 
1,550  degrees  for  an  hour  and  then  being 
dropped  30  feet  onto  concrete  rubble. 
(Sometimes  Joe  thinks  he’d  rather  work 
at  Underwriters  Laboratories.)  -D.S. 


36  www.csoonline.com  July/August  2008 


just  monitor  the  activities  on  all  of  his 
communication  interfaces. 

Companies  such  as  ControlGuard 
in  Bridgewater,  N.J.,  offer  this  type  of 
solution  for  about  $25  per  user.  Their 
product  is  now  being  built  into  several 
models  of  SanDisk 
memory  stick  products. 

Software  That 
Hunts  Down 
Thieves 

Joe  also  doesn’t  forget 
about  the  average  thug 
who  could  just  rip  the 
laptop  from  his  hand 
on  his  way  to  or  from  the  office.  So  his 
laptop  is  equipped  with  an  internal 
Lojack  system.  If  the  laptop  is  stolen, 
software  on  his  computer  will  silently 
contact  a  monitoring  center  and  report 
its  location  using  any  available  Internet 
connection.  Then  a  recovery  team, 
staffed  by  former  police  officers  and 
security  professionals,  works  with  local 
law  enforcement  to  get  the  laptop  back. 


To  ensure  that  his  stolen  laptop 
takes  company  secrets  to  the  grave, 

Joe  also  has  a  Data  Delete  feature  that 
uses  algorithms  that  meet  the  United 
States  Department  of  Defense  standard 
for  data  removal.  Once  removed,  data 
cannot  be  recovered  by 
any  means.  When  a  data 
delete  function  com¬ 
pletes,  a  log  file  can  be 
viewed  in  the  Customer 
Center  website,  confirm¬ 
ing  that  all  sensitive  data 
has  been  deleted. 

Computrace  Lojack 
for  Laptops,  a  product  by 
Absolute  Software  in  Bellevue,  Wash., 
offers  its  premium  laptop  theft  protec¬ 
tion  for  a  one-year  subscription  of  $50, 
and  $100  for  a  three-year  subscription. 
The  data  delete  feature  costs  extra  and 
is  part  of  an  enterprise  package  called 
ComputraceComplete.  The  company 
claims  to  retrieve  three  out  of  four 
laptops  reported  stolen,  or  about  5,000 
laptops  to  date. 


Outsmarting  the  Bad  Guys 

To  keep  a  step  ahead  of  would-be 
saboteurs,  hackers  and  thieves,  Joe 
continually  updates  his  laptop  security 
software  and  devices  with  the  latest 
products  by  smaller,  agile  companies— 
just  as  government  security  agencies  do. 

“We  can  be  assured  that  whatever 
technology  we’re  fielding,  there  are 
potential  adversaries  whose  adaptation 
cycle  is  rapid”  as  well,  says  Kathleen 
Kieman,  CEO  of  security  consulting 
firm  The  Kieman  Group  in  Washington, 
D.C.,  and  an  adviser  to  the  intelligence 
industry.  “Sometimes  development 
of  technology  is  really  slow— so  we’re 
looking  for  that  small,  agile  company 
on  the  cutting  edge  that  is  thinking 
through  hard  problems”  and  how  to 
thwart  not  just  existing  security  threats, 
but  the  next  generation  of  threats,  she 
adds. 

Just  to  be  extra  cautious  about  a 
really  old-fashioned  threat,  Joe  keeps 
his  laptop  physically  locked  to  his  desk 
with  a  steel  cable  during  the  day.  -S.C. 


...And  So  On 


Needless  to  say,  Joe  has  a  white-  and 

pink- noise  generator  ($115)  from  Radio 
Design  Labs  in  his  office  to  protect 
conversations  from  electronic  eaves¬ 
dropping.  (He  briefly  considered  adding  Tempest 
shielding  during  the  last  round  of  renovations, 
but  some  costs  are  beyond  even  Joe’s  means.)  The 
HVAC  systems  and  various  controls  around  the 
building  are  protected  with  locking  mechanisms 
from  McGard  and  other  specialty  providers. 

And  he’s  got  his  eye  on  new  mantraps:  Smiths 
Detection’s  latest  biological  sensors,  night-vision 
surveillance  technology  from  NoblePeak  and  a 
package  scanner  for  the  mailroom....  ■ 


Got feedback  or  suggestions  for  Joe?  Send  it  to  Editor 
Derek  Slater  at  dslater@cxo.com. 


MORE 

ONLINE  Selections 
from  CSOonline.com’s 
archives  offer  more 
tips  and  ideas  for 
protecting  everything 
from  the  prosaic  to  the 
priceless. 

The  Architect:  How  to 
Design  a  Secure  Facility 

Genzyme’s  headquarters  build¬ 
ing  is  an  architectural  marvel  of 
glass.  Dave  Kent’s  challenge  was 
to  secure  it. 

www.csoonline.com/article/218079 

19  Ways  to  Build  Physical 
Security  into  a  Data  Center 

From  authentication  to  air 
handlers— every  detail  in  a 
sensitive  data  center  demands 
scrutiny. 

www.csoonline.com/article/220665 


Modem  Crowd  Control  Les¬ 
sons  from  Ancient  Pompeii 

Crowd  control  experts  say 
today’s  stadiums  and  events 
should  take  notes  from  the 
Romans. 

www.csoonline.com/article/221329 

Information  Security  Les¬ 
sons  from  a  Bronze-Age  Fort 

The  Irish  island  fortress  of 
Dun  Aengus  demonstrates  key 
defense-in-depth  principals. 
www.csoonline.com/ 
article/220224 

How  to  Secure  a  Priceless 
Painting 

Museum  security  is  a  kind  of  art 
form  unto  itself:  to  bring  us  as 
close  as  possible  to  inspiration 
while  preventing  miscreants 
from  stealing  it. 

www.csoonline.com/article/221750 


July/August  2008  www.csoonline.com  37 


[  INDUSTRY  VIEW] 

By  Ira  Winkler 


The  Time  and  Place  for 
Awareness  Training 

Awareness  training  is  great  when  people  can  hurt  only  themselves. 
But  when  people  can  hurt  others,  stronger  measures  are  required. 


During  the  recent  RSA  Confer¬ 
ence  in  San  Francisco,  I  was 
part  of  a  panel  organized  by 
the  National  Cyber  Security 
Alliance  (NCSA).  The  subject 
was  botnets,  and  the  copanelists  included 
people  from  the  Department  of  Homeland 
Security,  the  FBI,  McAfee  and,  of  course, 
the  NCSA. 

As  the  panel  went  on,  I  became  aware 
of  an  incredible  irony  that  I  was  the  person 
who  was  most  against  awareness  training. 
After  all,  if  you  read  any  of  my  books,  you 
will  see  that  I  state  that  awareness  training 
is  the  most  effective  security  expenditure. 

Now  I  am  accusing  people  who  rely  on 
awareness  training  as  being  negligent.  I 
had  to  reassess  my  arguments. 

A  few  years  ago,  if  you  told  me  that  the 
Department  of  Homeland  Security  had 
a  group  of  people  assigned  to  do  noth¬ 
ing  but  awareness  training,  I  would  have 
responded  that  it  was  a  long  time  in  com¬ 
ing.  I  would  have  praised  them  for  finally 
putting  money  proactively  toward  trying  to 
deal  with  the  most  common  cause  of  secu¬ 
rity  vulnerabilities:  poor  security  aware¬ 
ness,  ignorance,  apathy,  and  so  on. 

Now  I  end  up  criticizing  the  DHS  for 
being  poorly  proactive  in  their  reliance  on 
and  touting  of  their  security  awareness 
campaign.  Again,  my  mind  was  spinning 
to  try  to  figure  out  where  this  disconnect 
was  coming  from. 

I  pretty  soon  realized  the  issue.  Previ¬ 
ously,  when  people  exercised  poor  security 
awareness,  they  hurt  themselves. 

Now  the  big  problem  is  that  when  they 
exercise  poor  security  awareness,  they  hurt 
others.  It  completely  changes  the  model,  at 
least  in  my  mind. 

Before,  when  people  left  themselves 


vulnerable,  they  were  the  victim  of  a  crime. 
They  were  the  people  who  had  their  identity 
stolen.  They  were  the  people  whose  comput¬ 
ers  were  trashed.  They  were  the  people  who 
suffered  in  the  end.  Now,  these  “victims”  are 
the  facilitators  of  crimes  against  others.  They 
are  the  enablers,  the  unwitting  accomplices. 
These  “victims”  are  the  drivers  of  crimes. 

So,  essentially,  I  realized  that  aware¬ 
ness  training  is  appropriate  when  people 


can  hurt  only  themselves.  However  when 
people  can  hurt  others,  we  need  laws  to 
protect  ourselves  from  these  people  and  to 
force  them  to  secure  themselves  or  to  get  off 
the  Internet. 

The  root  of  all  botnets  is  the  poorly  pro¬ 
tected  computers  that  are  compromised. 
These  poorly  protected  computers  are 
typically  poorly  maintained  PCs  that  run 
without  basic  software  updates  and  secu¬ 
rity  software  enabled.  If  the  PC  user  were 
the  only  victim,  I  couldn’t  care  less. 

However,  the  reality  is  that  these  PCs 
enable  distributed  denial-of  service  attacks, 
which  enable  extortion  against  people  and 
organizations  that  are  doing  everything 
right.  They  are  the  source  of  phishing 


attacks,  which  raise  bank  and  credit  card 
rates  in  the  long  run.  They  enable  iden¬ 
tity  theft.  They  raise  costs  for  computer 
bandwidth. 

What  it  comes  down  to  is  that  there 
are  hard  costs  being  absorbed  by  soci¬ 
ety  because  of  poor  computer  security 
awareness. 

In  the  real  world,  this  would  be  a  no- 
brainer.  After  all,  you  have  to  properly 
maintain  your  car  or  you  have  to  take  it  off 
the  road. 

If  your  house  is  a  mess,  that  is  your 
problem  unless  it  begins  to  attract  rats  and 
becomes  a  health  hazard  to  your  neighbors. 
Then,  you  can  be  fined  until  the  situation  is 
corrected.  You  can  also  be  evicted  or  your 
house  can  be  condemned  if  you  allow  the 
situation  to  go  on.  Everyone  can  apply  for  a 
driver’s  license.  However,  that  license  can 
be  taken  away  if  you  endanger  others  when 
you  drive. 

Why,  then,  are  people  allowed  unfet¬ 
tered  access  to  the  Internet,  even  if  they 
clearly  demonstrate  that  they  are  an  immi¬ 
nent  danger  to  others? 

It  would  be  great  if  awareness  train¬ 
ing  were  successful  and  would  make  a 
significant  impact.  The  reality,  though,  is 
that  awareness  training  has  proven  itself 
less  than  reliable  in  making  any  significant 
improvement  in  the  overall  security  of  the 
Internet. 

More  important  is  that  the  threat  to 
innocent  victims  continues  to  grow,  as  we 
seem  to  be  relying  only  on  security  aware¬ 
ness  and  the  lack  of  responsibility  on  the 
part  of  others.  ■ 


Ira  Winkler  is  president  and  founder  of  the 
Internet  Security  Advisors  Group  (ISAG).  Con¬ 
tact  him  at  ira@isag.com. 


38  www.csoonline.com  July/August  2008 


Photo  by  Cade  Martin 


6th  Annual 

EXECUTIVE  WOMEN'S 

FORUM 


Information  Security,  Risk 
Management  &  Privacy 


September  16-18, 2008  |  Sheraton  Wild  Horse  Pass  |  Chandler,  AZ 


Building  a  Holistic  Risk  Approach: 
The  Power  of  Leveraging 

Hosted  by  Alta  Associates,  Inc.  the  6th  Annual  Executive  Womens  Forum 
(EWF)  brings  together  more  than  200  women  of  influence,  power  and 
intelligence  to  explore  the  challenges  of  building  a  holistic  risk  approach. 

Learn  how  industry  experts  are  leveraging  their  technology,  networks, 
and  organizations  to  achieve  success. 

The  EWF  provides  a  unique  atmosphere  that  fosters  the  development  of 
creative  ideas,  innovative  solutions  and  deep  relationships.  Join  your  peers 
in  gaining  practical  knowledge  of  best  practices. 


>  Protecting  Privacy:  Leveraging 
Relationships  Internally  and  Externally 


AGENDA 

>  Keynote:  Leveraging  Your  Unique 

Strengths,  Val  Rahmani,  General 

Manager  IBM  ISS,  Security  &  Privacy  _ 

>  Board  or  Directors  Boot  Gamp 

>  Convergence:  The  Good,  the  Bad  &  with  Susan  Stautberg 

the  Ugly 


>  Emerging  Technologies  and 
Emergi  ng  Wo  rkfo  rces 

>  Managing  Risk  in  a  Flatter  World 


>  International  Threat  Landscape 
Workshop 

>  Speaker:  Dale  Atkins; 

Author  of  “Sanity  Savers” 


Ift  /  IW' 

& 


Attendees  from  the  2007  Executive  Women’s  Forum. 


WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 
Winners  will  be  announced  at  an  awards 
ceremony  during  the  Executive  Women's 
Forum. 

NOMINATION  FORM  AVAILABLE  AT: 
h  ttp://public.  cxo.  com /a  wards / 
W0l_2008_application.html 

Nominations  must  be  submitted  by 
August  1, 2008. 


Media  sponsor  &  awards  co-presenter: 


BUSINESS  RISK  LEADERSHIP 


Forum  host  &  awards  co-presenter: 


ASSOCIATES 

specialists  in  executive  recruiting 


Diamond  Sponsors: 


•  • 


Inform  ati  on  N  e  two  rid  ng  Inst  itu  te 

Carnegie  Mellon 


Microsoft 


[  debriefing] 

A  Firm  Grasp 


Blast  from  the  Past 

Ah,  nostalgia.  This  photo  from  the  Modern  Mechanix 
magazine  showed  the  state  of  the  art  in  electrical 
submission  technology  in  Sept.  1935. 


v  rims  With  1,500  Vote 

.  aove  for  St°”! 

ectfc  giov  .  sr«? 


quelling  >■  &e  glove  rece  ,.  o£  fight. 

cer  wearing  remove  all  ^elt  sup- 

shook. -fXd  battery  worn  on  the 
A  hal£-P°u"“  er  all  wiring  being 
Dhes  the  power,  de- 

beneath  the  eg  ^  Vork  «*«  tty 

Pohce  “^'demonstrated  were 
vice  was  first  efjectiveness. 

Impressed  W 


■  fjgg  d  oo 

Xown  weaftnS  the  g'° 

C«il°  Dia*’ 


40  www.csoonline.com  July/August  2008 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 


Get  visible  site  security  from  the  company  your  customers  trust. 


O  https://www.overstock.com/checkout 


▼  |  H  Identified  by  VeriSign 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


2008  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


hat  would 
or  this  U 


pay 
tick? 


m 


■  o  ' 


Some  would  pay 

BILLIONS 


Everyday  you  read  about  some  company’s  intellectual  property  stored  on  a  portable  storage  device 
that  is  either  lost  or  stolen.  With  Lumension’s  Data  Protection  Solution  you  know  who  is  accessing  your 
company’s  data  and  with  what  devices.  Don’t  wait  to  find  out  how  much  someone  would  pay  for  your 
information.  Get  Proactive.  Get  Lumension. 

Learn  more  about  data  protection  misconceptions  and  how  Lumension  Security’s 
Data  Protection  Solution  can  protect  your  data  by  downloading  the  whitepaper  at 
lumension.com/security-tip-22  or  for  a  FREE  30  DAY  TRIAL  call  us  at  1.888.970.1025 


Vulnerability  Management  /  Endpoint  Security  /  Data  Protection  /  Compliance 


frh  Lumension 


SECURITY. 


15880  N.  Greenway-Hayden  Loop,  Suite  100  /  Scottsdale,  AZ  85260  / 1.888.970.1025  /  www.lumension.com 
©  Copyright  2008,  Lumension  Security™,  Inc.  All  Rights  Reserved. 


